Ich habe hier auf einigen Maschinen eine Authentifizierung via Client-Zertifikat (von einer Smartcard) in Betrieb. Letzte Woche habe ich von SLES 10 SP2 auf SP3 upgegraded, seitdem funktioniert diese Authentifizierung aus bisher unbekanntem Grund nicht mehr.
Ich habe bereits das /etc/apache2-Verzeichnis mit Stand vor dem Upgrade aus dem Backup wiederhergestellt und die Neuerungen verglichen, das gesamte Verzeichnis ist identisch.
Folgenden Konfigurationsabschnitt habe ich für den vhost (Companyname, hostname und Co sind geändert):
- Code: Select all
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost 10.252.5.100:443>
DocumentRoot "/srv/www/htdocs"
ServerName hostname.domainname:443
ServerAdmin christian.anton@company.com
ErrorLog /var/log/apache2/ssl_error_log
LogLevel debug
TransferLog /var/log/apache2/ssl_access_log
SSLEngine on
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/hostname.domainname.crt
SSLCertificateKeyFile /etc/apache2/ssl/hostname.domainname.key
SSLCACertificateFile /etc/apache2/ssl/ca_company.pem
ScriptAlias /nagios/cgi-bin "/usr/lib/nagios/cgi"
Alias /nagios/pnp "/usr/share/pnp"
Alias /nagios "/usr/share/nagios"
<Location /nagios>
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 3
SSLUserName SSL_CLIENT_S_DN_CN
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "COMPANY"
# include script-written conf file
#Include /etc/nagios/nagios-ldap.d/httpd_ldap_require
#Include /etc/nagios-ldap/httpd_ldap_require
</Location>
CustomLog /var/log/apache2/ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN}x \"%r\" %b"
</VirtualHost>
....
Wenn nun der Client versucht die Seite aufzurufen erscheint im Debug-Log folgendes:
- Code: Select all
[Tue Jan 12 09:56:45 2010] [info] [client 10.244.128.101] Connection to child 4 established (server hostname.domainname.com:443)
[Tue Jan 12 09:56:45 2010] [info] Seeding PRNG with 144 bytes of entropy
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 b1 01 00 00-ad 03 01 ........... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 171/171 bytes from BIO#5555559e88f0 [mem: 5555559edfbb] (BIO dump follows)
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0000: 4b 4c 39 4d ee 4a d0 58-c4 96 94 52 25 22 53 8f KL9M.J.X...R%"S. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0010: a1 7b 92 f4 d9 f4 87 fd-77 49 19 07 31 c5 a8 53 .{......wI..1..S |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0020: 00 00 44 c0 0a c0 14 00-88 00 87 00 39 00 38 c0 ..D.........9.8. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0030: 0f c0 05 00 84 00 35 c0-07 c0 09 c0 11 c0 13 00 ......5......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0040: 45 00 44 00 33 00 32 c0-0c c0 0e c0 02 c0 04 00 E.D.3.2......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0050: 41 00 04 00 05 00 2f c0-08 c0 12 00 16 00 13 c0 A...../......... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0060: 0d c0 03 fe ff 00 0a 01-00 00 40 00 00 00 26 00 ..........@...&. |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0070: 24 00 00 21 73 65 63 2d-73 79 73 6d 67 6d 74 2d $..!sec-sysmgmt- |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0080: 74 65 73 74 2e 69 6e 74-72 61 6e 65 74 2e 65 6f test.intranet.eo |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 0090: 6e 2e 63 6f 6d 00 0a 00-08 00 06 00 17 00 18 00 n.com........... |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1747): | 00a0: 19 00 0b 00 02 01 00 00-23 ........# |
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1751): | 0171 - <SPACES/NULS>
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1143): [client 10.244.128.101] handing out temporary 1024 bit DH key
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write key exchange A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server done A
[Tue Jan 12 09:56:45 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 86 ..... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 134/134 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 10 00 00 82 00 80 99 b9-05 3c 22 e8 f0 41 50 64 .........<"..APd |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: 02 14 56 1e a9 4c 77 ce-2c 36 2b 79 77 c2 b4 af ..V..Lw.,6+yw... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: cd 06 34 e6 c9 16 bf 36-2a ae e9 9b be 12 62 a2 ..4....6*.....b. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0030: a4 7b c6 03 89 5f ef e8-c8 c4 45 3a cb 50 32 cf .{..._....E:.P2. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0040: 4b c0 42 ec 78 9c df 18-f6 65 20 1d 36 53 76 e6 K.B.x....e .6Sv. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0050: 48 61 b0 6b e5 75 db 29-32 14 d1 11 3b 5e 7a d6 Ha.k.u.)2...;^z. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0060: 1d df 49 57 80 81 cd fa-bb 48 33 e5 30 96 da 57 ..IW.....H3.0..W |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0070: b1 f1 f0 68 9a 5a 2d 5d-29 e1 a1 3b 22 22 96 6b ...h.Z-])..;"".k |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0080: 51 00 9e 78 d8 ef Q..x.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client key exchange A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 14 03 01 00 01 ..... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 1/1 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 01 . |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 30 ....0 |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 48/48 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: b6 eb a5 03 6e bb 09 23-6c 55 d0 c4 a4 51 b8 e8 ....n..#lU...Q.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: 8f 09 9a 0c 97 2a 00 70-d4 b4 4b ee 57 9c 47 1a .....*.p..K.W.G. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: 2e fe f2 54 fb a3 df 16-fd b7 fd 07 0f 56 15 8a ...T.........V.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(670): inside shmcb_store_session
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(676): session_id[0]=169, masked index=9
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1059): entering shmcb_insert_encoded_session, *queue->pos_count = 0
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(983): entering shmcb_expire_division
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1115): we have 13853 bytes and 133 indexes free - enough
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1144): storing in index 0, at offset 0
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1159): session_id[0]=169, idx->s_id2=108
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1170): leaving now with 148 bytes in the cache and 1 indexes
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(1174): leaving shmcb_insert_encoded_session
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(704): leaving shmcb_store successfully
[Tue Jan 12 09:56:46 2010] [debug] ssl_scache_shmcb.c(418): shmcb_store successful
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1598): Inter-Process Session Cache: request=SET status=OK id=A96C59B5C9849CCC7D2848D408F3C97B75DFC1212CE9BC437C84F89567EB1A92 timeout=599s (session caching)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done
[Tue Jan 12 09:56:46 2010] [info] Connection: Client IP: 10.244.128.101, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555559e88f0 [mem: 5555559edfb0] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: 17 03 01 01 c0 ..... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1775): OpenSSL: read 448/448 bytes from BIO#5555559e88f0 [mem: 5555559edfb5] (BIO dump follows)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0000: c8 e8 ef 48 a7 09 11 b5-9a 88 40 d6 2b 46 96 63 ...H......@.+F.c |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0010: b5 f2 33 04 03 12 66 b5-2e b9 23 23 19 1c c3 8d ..3...f...##.... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0020: 39 be 54 97 ae 41 42 b7-0e b6 57 20 35 84 92 be 9.T..AB...W 5... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0030: 7c 50 1b 9c dd c5 a0 e7-46 39 75 ec e2 9c 73 8b |P......F9u...s. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0040: 7c 4e 57 cb e2 59 01 32-8c 2b 7f 4f ba ad 4a 1f |NW..Y.2.+.O..J. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0050: 53 97 53 c0 a6 7f c4 4b-2f 19 d7 a6 d2 38 97 f3 S.S....K/....8.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0060: 79 89 99 8c a1 de 54 8f-ff d8 0d 9c a5 8c a1 80 y.....T......... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0070: 8b ba 1b 11 da 5c 69 e4-1b 51 8a bf 6d e1 47 9b .....\\i..Q..m.G. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0080: 07 9f 28 6d 92 17 01 41-66 d0 39 ec 46 ce 70 f9 ..(m...Af.9.F.p. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0090: 79 70 22 c9 2e 70 2f 0b-e2 b9 9d 35 7c 2f fa d5 yp"..p/....5|/.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00a0: 96 f4 ab 89 44 c7 b3 d0-c0 df ed 71 ee 29 62 db ....D......q.)b. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00b0: af ff 80 6a b3 54 92 77-28 72 ff 0d ce ba b2 e7 ...j.T.w(r...... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00c0: b2 3c 3d 29 24 f3 1b 12-fd 23 b0 db 1e 5b 98 b6 .<=)$....#...[.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00d0: 5a 03 47 f9 3a ea 3e 0a-d0 55 e4 17 e1 65 8a bf Z.G.:.>..U...e.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00e0: 94 25 6c 52 cc 1d 36 bc-10 d7 6d ad ca 78 a8 c4 .%lR..6...m..x.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 00f0: 58 d9 39 ba 3a ed 52 8e-24 10 72 8a 61 2f 9c a2 X.9.:.R.$.r.a/.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0100: 74 95 60 cb dd 5e af 83-8f b2 04 16 01 b3 ce 79 t.`..^.........y |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0110: b9 e5 fe 83 d2 e8 82 9c-44 c8 c1 88 15 b8 4b a0 ........D.....K. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0120: a2 76 3b ad f1 2e 4d ac-7e 1c 44 d8 a7 4d ab c6 .v;...M.~.D..M.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0130: 1e b2 77 95 58 5a 70 7e-35 b2 ab 81 0f ff 2c 97 ..w.XZp~5.....,. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0140: 4e fe 82 f7 e7 b6 02 09-7b eb bb a3 dc 13 bc 15 N.......{....... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0150: 8a a1 85 d9 2e 96 69 27-14 fe d4 21 f9 15 4e 20 ......i'...!..N |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0160: ac 51 e4 fd 72 8a c9 d3-61 e8 00 e1 7f 22 68 25 .Q..r...a...."h% |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0170: 9e ca c6 23 f1 0c 23 cf-bb 24 20 96 dd 8a 36 ed ...#..#..$ ...6. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0180: 23 a8 34 4a cd a6 8b 40-fc 19 c2 54 f2 11 8e eb #.4J...@...T.... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 0190: 24 35 ec de 0a 4f ac 02-5b a3 0b de 15 9f 9f ed $5...O..[....... |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 01a0: eb 25 43 6b cc da 2c 45-78 6c c6 3a 09 44 08 e9 .%Ck..,Exl.:.D.. |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1747): | 01b0: fd af 48 54 9b 4a 37 96-40 82 37 e5 0a 5c 0d 24 ..HT.J7.@.7..\\.$ |
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Jan 12 09:56:46 2010] [info] Initial (No.1) HTTPS request received for child 4 (server hostname.domainname.com:443)
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(426): Changed client verification type will force renegotiation
[Tue Jan 12 09:56:46 2010] [info] Requesting connection re-negotiation
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(616): Performing full renegotiation: complete handshake protocol
[Tue Jan 12 09:56:46 2010] [info] Awaiting re-negotiation handshake
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before accept initialization
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client hello A
[Tue Jan 12 09:56:46 2010] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client hello A
[Tue Jan 12 09:56:46 2010] [error] Re-negotiation handshake failed: Not accepted by client!?
Im Client kommt nicht einmal die Abfrage der Pin für das Zertifikat. Es scheint hier also als ob der Webserver das Clientzertifikat gar nicht erst anfordert, dann aber trotzdem meckert dass der Client dieses nicht vorgezeigt hätte.
Ich kann das Zertifikat von der Smartcard exportieren, dann auf den Webserver kopieren und anhand von openssl gegen die CA prüfen. Wenn ich mit meinem Verständnis richtig liege sollte das doch genau das sein, was auch apache macht. Die SSLRequire-Zeile hatte ich auch testweise bereits auskommentiert, so dass _jeder_ sich anmelden dürfte dessen Clientzertifikat sauber von der CA signiert ist.
- Code: Select all
openssl verify -CAfile /etc/apache2/ssl/ca_company.pem /tmp/C11188.cer
/tmp/C11188.cer: OK
Hat jemand eine Idee wie ich diesem Problem auf die Schliche komme? Ich erwarte keine Lösung, aber eine Möglichkeit für mich als apache-nicht-Volllprofi herauszufinden wo genau was schiefgeht und vor allem wie es dazu kommen kann. Ich fürchte ja inzwischen fast, dass SuSE mit den Updates eine buggy Version der openssl-Geschichten im apache ausgeliefert hat.
Freue mich auf Ideen, Anregungen, ...
Beste Grüße
Christian