Clientcert-Auth funktioniert nicht mehr

Alles, was den Apache betrifft, kann hier besprochen werden.

Clientcert-Auth funktioniert nicht mehr

Postby fibbs » 12. January 2010 10:07

Hallo liebe Apache-Freunde!

Ich habe hier auf einigen Maschinen eine Authentifizierung via Client-Zertifikat (von einer Smartcard) in Betrieb. Letzte Woche habe ich von SLES 10 SP2 auf SP3 upgegraded, seitdem funktioniert diese Authentifizierung aus bisher unbekanntem Grund nicht mehr.

Ich habe bereits das /etc/apache2-Verzeichnis mit Stand vor dem Upgrade aus dem Backup wiederhergestellt und die Neuerungen verglichen, das gesamte Verzeichnis ist identisch.

Folgenden Konfigurationsabschnitt habe ich für den vhost (Companyname, hostname und Co sind geändert):
Code: Select all
<IfDefine SSL>
<IfDefine !NOSSL>


<VirtualHost 10.252.5.100:443>

        DocumentRoot "/srv/www/htdocs"
        ServerName hostname.domainname:443
        ServerAdmin christian.anton@company.com
        ErrorLog /var/log/apache2/ssl_error_log
        LogLevel debug
        TransferLog /var/log/apache2/ssl_access_log

        SSLEngine on

        #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCertificateFile /etc/apache2/ssl/hostname.domainname.crt

        SSLCertificateKeyFile /etc/apache2/ssl/hostname.domainname.key

        SSLCACertificateFile /etc/apache2/ssl/ca_company.pem


        ScriptAlias /nagios/cgi-bin "/usr/lib/nagios/cgi"
        Alias /nagios/pnp "/usr/share/pnp"
        Alias /nagios "/usr/share/nagios"
        <Location /nagios>
           SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire

           SSLVerifyClient require
           SSLVerifyDepth 3

           SSLUserName SSL_CLIENT_S_DN_CN
           SSLRequireSSL
           SSLRequire %{SSL_CLIENT_S_DN_O}  eq "COMPANY"

           # include script-written conf file
           #Include /etc/nagios/nagios-ldap.d/httpd_ldap_require
           #Include /etc/nagios-ldap/httpd_ldap_require

        </Location>


        CustomLog /var/log/apache2/ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN}x \"%r\" %b"
</VirtualHost>
....



Wenn nun der Client versucht die Seite aufzurufen erscheint im Debug-Log folgendes:
Code: Select all
[Tue Jan 12 09:56:45 2010] [info] [client 10.244.128.101] Connection to child 4 established (server hostname.domainname.com:443)
[Tue Jan 12 09:56:45 2010] [info] Seeding PRNG with 144 bytes of entropy
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 b1 01 00 00-ad 03 01                 ...........      |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 171/171 bytes from BIO#5555559e88f0 [mem: 5555559edfbb] (BIO dump follows)
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0000: 4b 4c 39 4d ee 4a d0 58-c4 96 94 52 25 22 53 8f  KL9M.J.X...R%"S. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0010: a1 7b 92 f4 d9 f4 87 fd-77 49 19 07 31 c5 a8 53  .{......wI..1..S |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0020: 00 00 44 c0 0a c0 14 00-88 00 87 00 39 00 38 c0  ..D.........9.8. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0030: 0f c0 05 00 84 00 35 c0-07 c0 09 c0 11 c0 13 00  ......5......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0040: 45 00 44 00 33 00 32 c0-0c c0 0e c0 02 c0 04 00  E.D.3.2......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0050: 41 00 04 00 05 00 2f c0-08 c0 12 00 16 00 13 c0  A...../......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0060: 0d c0 03 fe ff 00 0a 01-00 00 40 00 00 00 26 00  ..........@...&. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0070: 24 00 00 21 73 65 63 2d-73 79 73 6d 67 6d 74 2d  $..!sec-sysmgmt- |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0080: 74 65 73 74 2e 69 6e 74-72 61 6e 65 74 2e 65 6f  test.intranet.eo |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0090: 6e 2e 63 6f 6d 00 0a 00-08 00 06 00 17 00 18 00  n.com........... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 00a0: 19 00 0b 00 02 01 00 00-23                       ........#        |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1751): | 0171 - <SPACES/NULS>
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1143): [client 10.244.128.101] handing out temporary 1024 bit DH key
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write key exchange A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server done A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 86                                   .....            |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 134/134 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 10 00 00 82 00 80 99 b9-05 3c 22 e8 f0 41 50 64  .........<"..APd |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: 02 14 56 1e a9 4c 77 ce-2c 36 2b 79 77 c2 b4 af  ..V..Lw.,6+yw... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: cd 06 34 e6 c9 16 bf 36-2a ae e9 9b be 12 62 a2  ..4....6*.....b. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0030: a4 7b c6 03 89 5f ef e8-c8 c4 45 3a cb 50 32 cf  .{..._....E:.P2. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0040: 4b c0 42 ec 78 9c df 18-f6 65 20 1d 36 53 76 e6  K.B.x....e .6Sv. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0050: 48 61 b0 6b e5 75 db 29-32 14 d1 11 3b 5e 7a d6  Ha.k.u.)2...;^z. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0060: 1d df 49 57 80 81 cd fa-bb 48 33 e5 30 96 da 57  ..IW.....H3.0..W |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0070: b1 f1 f0 68 9a 5a 2d 5d-29 e1 a1 3b 22 22 96 6b  ...h.Z-])..;"".k |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0080: 51 00 9e 78 d8 ef                                Q..x..           |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client key exchange A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 14 03 01 00 01                                   .....            |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 1/1 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 01                                               .                |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 30                                   ....0            |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 48/48 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: b6 eb a5 03 6e bb 09 23-6c 55 d0 c4 a4 51 b8 e8  ....n..#lU...Q.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: 8f 09 9a 0c 97 2a 00 70-d4 b4 4b ee 57 9c 47 1a  .....*.p..K.W.G. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: 2e fe f2 54 fb a3 df 16-fd b7 fd 07 0f 56 15 8a  ...T.........V.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(670): inside shmcb_store_session
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(676): session_id[0]=169, masked index=9
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1059): entering shmcb_insert_encoded_session, *queue->pos_count = 0
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(983): entering shmcb_expire_division
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1115): we have 13853 bytes and 133 indexes free - enough
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1144): storing in index 0, at offset 0
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1159): session_id[0]=169, idx->s_id2=108
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1170): leaving now with 148 bytes in the cache and 1 indexes
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1174): leaving shmcb_insert_encoded_session
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(704): leaving shmcb_store successfully
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(418): shmcb_store successful
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1598): Inter-Process Session Cache: request=SET status=OK id=A96C59B5C9849CCC7D2848D408F3C97B75DFC1212CE9BC437C84F89567EB1A92 timeout=599s (session caching)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done
[Tue Jan 12 09:56:46 2010] [info] Connection: Client IP: 10.244.128.101, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 17 03 01 01 c0                                   .....            |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 448/448 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: c8 e8 ef 48 a7 09 11 b5-9a 88 40 d6 2b 46 96 63  ...H......@.+F.c |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: b5 f2 33 04 03 12 66 b5-2e b9 23 23 19 1c c3 8d  ..3...f...##.... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: 39 be 54 97 ae 41 42 b7-0e b6 57 20 35 84 92 be  9.T..AB...W 5... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0030: 7c 50 1b 9c dd c5 a0 e7-46 39 75 ec e2 9c 73 8b  |P......F9u...s. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0040: 7c 4e 57 cb e2 59 01 32-8c 2b 7f 4f ba ad 4a 1f  |NW..Y.2.+.O..J. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0050: 53 97 53 c0 a6 7f c4 4b-2f 19 d7 a6 d2 38 97 f3  S.S....K/....8.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0060: 79 89 99 8c a1 de 54 8f-ff d8 0d 9c a5 8c a1 80  y.....T......... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0070: 8b ba 1b 11 da 5c 69 e4-1b 51 8a bf 6d e1 47 9b  .....\\i..Q..m.G. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0080: 07 9f 28 6d 92 17 01 41-66 d0 39 ec 46 ce 70 f9  ..(m...Af.9.F.p. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0090: 79 70 22 c9 2e 70 2f 0b-e2 b9 9d 35 7c 2f fa d5  yp"..p/....5|/.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00a0: 96 f4 ab 89 44 c7 b3 d0-c0 df ed 71 ee 29 62 db  ....D......q.)b. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00b0: af ff 80 6a b3 54 92 77-28 72 ff 0d ce ba b2 e7  ...j.T.w(r...... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00c0: b2 3c 3d 29 24 f3 1b 12-fd 23 b0 db 1e 5b 98 b6  .<=)$....#...[.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00d0: 5a 03 47 f9 3a ea 3e 0a-d0 55 e4 17 e1 65 8a bf  Z.G.:.>..U...e.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00e0: 94 25 6c 52 cc 1d 36 bc-10 d7 6d ad ca 78 a8 c4  .%lR..6...m..x.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00f0: 58 d9 39 ba 3a ed 52 8e-24 10 72 8a 61 2f 9c a2  X.9.:.R.$.r.a/.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0100: 74 95 60 cb dd 5e af 83-8f b2 04 16 01 b3 ce 79  t.`..^.........y |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0110: b9 e5 fe 83 d2 e8 82 9c-44 c8 c1 88 15 b8 4b a0  ........D.....K. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0120: a2 76 3b ad f1 2e 4d ac-7e 1c 44 d8 a7 4d ab c6  .v;...M.~.D..M.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0130: 1e b2 77 95 58 5a 70 7e-35 b2 ab 81 0f ff 2c 97  ..w.XZp~5.....,. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0140: 4e fe 82 f7 e7 b6 02 09-7b eb bb a3 dc 13 bc 15  N.......{....... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0150: 8a a1 85 d9 2e 96 69 27-14 fe d4 21 f9 15 4e 20  ......i'...!..N  |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0160: ac 51 e4 fd 72 8a c9 d3-61 e8 00 e1 7f 22 68 25  .Q..r...a...."h% |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0170: 9e ca c6 23 f1 0c 23 cf-bb 24 20 96 dd 8a 36 ed  ...#..#..$ ...6. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0180: 23 a8 34 4a cd a6 8b 40-fc 19 c2 54 f2 11 8e eb  #.4J...@...T.... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0190: 24 35 ec de 0a 4f ac 02-5b a3 0b de 15 9f 9f ed  $5...O..[....... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 01a0: eb 25 43 6b cc da 2c 45-78 6c c6 3a 09 44 08 e9  .%Ck..,Exl.:.D.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 01b0: fd af 48 54 9b 4a 37 96-40 82 37 e5 0a 5c 0d 24  ..HT.J7.@.7..\\.$ |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [info] Initial (No.1) HTTPS request received for child 4 (server hostname.domainname.com:443)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(426): Changed client verification type will force renegotiation
[Tue Jan 12 09:56:46 2010] [info] Requesting connection re-negotiation
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(616): Performing full renegotiation: complete handshake protocol
[Tue Jan 12 09:56:46 2010] [info] Awaiting re-negotiation handshake
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before accept initialization
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client hello A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client hello A
[Tue Jan 12 09:56:46 2010] [error] Re-negotiation handshake failed: Not accepted by client!?


Im Client kommt nicht einmal die Abfrage der Pin für das Zertifikat. Es scheint hier also als ob der Webserver das Clientzertifikat gar nicht erst anfordert, dann aber trotzdem meckert dass der Client dieses nicht vorgezeigt hätte.

Ich kann das Zertifikat von der Smartcard exportieren, dann auf den Webserver kopieren und anhand von openssl gegen die CA prüfen. Wenn ich mit meinem Verständnis richtig liege sollte das doch genau das sein, was auch apache macht. Die SSLRequire-Zeile hatte ich auch testweise bereits auskommentiert, so dass _jeder_ sich anmelden dürfte dessen Clientzertifikat sauber von der CA signiert ist.

Code: Select all
openssl verify -CAfile /etc/apache2/ssl/ca_company.pem /tmp/C11188.cer
/tmp/C11188.cer: OK


Hat jemand eine Idee wie ich diesem Problem auf die Schliche komme? Ich erwarte keine Lösung, aber eine Möglichkeit für mich als apache-nicht-Volllprofi herauszufinden wo genau was schiefgeht und vor allem wie es dazu kommen kann. Ich fürchte ja inzwischen fast, dass SuSE mit den Updates eine buggy Version der openssl-Geschichten im apache ausgeliefert hat.


Freue mich auf Ideen, Anregungen, ...


Beste Grüße


Christian
fibbs
 
Posts: 1
Joined: 12. January 2010 09:31

Re: Clientcert-Auth funktioniert nicht mehr

Postby Nobbie » 12. January 2010 11:05

fibbs wrote:Freue mich auf Ideen, Anregungen, ...


Ich glaube nicht, dass hier jemand etwas beitragen kann, weil das hier das falsche Forum ist. HIer ist das Forum für Apache aus dem Xampp Linux Paket, aber Du hast das nicht installiert.

Mit diesem Problem solltest Du Dich an Novell (oder wer auch immer SLES betreut) wenden, da scheint es ein Kernel Problem mit SSL zu geben.
Nobbie
 
Posts: 8775
Joined: 09. March 2008 13:04


Return to Apache

Who is online

Users browsing this forum: No registered users and 3 guests