Client Certificate Authentication

23/05/2005, 20h06

Hi,

I followed
http://httpd.apache.org/docs-2.0/ssl...bitraryclients to set
up client certificate based authentication on a directory of my server (SuSE
9.0, apache2-2.0.48-149 RPM)

In /etc/apache2/vhosts.d/vhost-ssl.conf I added
<VirtualHost IP:443>
....
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
....
<Directory /srv/www/htdocs/web1/public_html/secret>
SSLVerifyClient optional_no_ca
SSLOptions +FakeBasicAuth
AuthName "secret"
AuthType Basic
AuthUserFile /srv/www/htdocs/web1/httpd.passwd
require valid-user
</Directory>
</VirtualHost>

(the "optional_no_ca" is just for getting started. it will be changed later)

httpd.passwd contains the DN determined by openssl x509 -noout -subject -in
barmala.com.cer suffixed by ":xxj31ZMTZzkVA"

When I access https://www.myserver.com/secret/ MSIE (WinXP SP2) asks me to
select a certificate from a list. If I hit cancel, I get the "basic
authentication" dialog and if I cancel this dialog I get "don't select a
cert, I get a 401: "Authentication failed". This works as expected.

I do select a cert, MSIE asks me for permission/credentials to access the
private key, which is still what I expect, but then I get "Page not
available, server or dns can't be found". I know this is a quite generic
error message, which doesn't tell much about the real reason.

I watched /var/log/apache2/error_log:
As soon as the first dialog pops up in MSIE I get
"Re-negotiation handshake failed: Not accepted by client!?"
When I submit a cert, I get
"child pid 3977 exit signal Segmentation fault (11)"

I changed SSLv2 to SSLv3, but got the same result.

BTW: Firefox doesn't even give me the dialog to select a cert, but rather
asks me for username/password like in basic auth.

Any idea?

Christian

23/05/2005, 20h27

"Christian Barmala" <christian.barmala@gmx.net> writes:
> When I submit a cert, I get
> "child pid 3977 exit signal Segmentation fault (11)"

That is definitely a bug and if it's reproducable you should post a
bug report, preferably with an example certificate that induces the
crash.

23/05/2005, 20h06	#1
Christian Barmala Messages: n/a Hébergeur:	Client Certificate Authentication Hi, I followed http://httpd.apache.org/docs-2.0/ssl...bitraryclients to set up client certificate based authentication on a directory of my server (SuSE 9.0, apache2-2.0.48-149 RPM) In /etc/apache2/vhosts.d/vhost-ssl.conf I added <VirtualHost IP:443> .... SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL .... <Directory /srv/www/htdocs/web1/public_html/secret> SSLVerifyClient optional_no_ca SSLOptions +FakeBasicAuth AuthName "secret" AuthType Basic AuthUserFile /srv/www/htdocs/web1/httpd.passwd require valid-user </Directory> </VirtualHost> (the "optional_no_ca" is just for getting started. it will be changed later) httpd.passwd contains the DN determined by openssl x509 -noout -subject -in barmala.com.cer suffixed by ":xxj31ZMTZzkVA" When I access https://www.myserver.com/secret/ MSIE (WinXP SP2) asks me to select a certificate from a list. If I hit cancel, I get the "basic authentication" dialog and if I cancel this dialog I get "don't select a cert, I get a 401: "Authentication failed". This works as expected. I do select a cert, MSIE asks me for permission/credentials to access the private key, which is still what I expect, but then I get "Page not available, server or dns can't be found". I know this is a quite generic error message, which doesn't tell much about the real reason. I watched /var/log/apache2/error_log: As soon as the first dialog pops up in MSIE I get "Re-negotiation handshake failed: Not accepted by client!?" When I submit a cert, I get "child pid 3977 exit signal Segmentation fault (11)" I changed SSLv2 to SSLv3, but got the same result. BTW: Firefox doesn't even give me the dialog to select a cert, but rather asks me for username/password like in basic auth. Any idea? Christian

23/05/2005, 20h27	#2
Paul Rubin Messages: n/a Hébergeur:	Re: Client Certificate Authentication "Christian Barmala" <christian.barmala@gmx.net> writes: > When I submit a cert, I get > "child pid 3977 exit signal Segmentation fault (11)" That is definitely a bug and if it's reproducable you should post a bug report, preferably with an example certificate that induces the crash.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email