| Summary: | Mutual Authentication: Order in ca-bundle influences if a client certificate is accepted or not | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Peter Pichler <pvp> |
| Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | RESOLVED LATER | ||
| Severity: | major | CC: | woldra |
| Priority: | P2 | Keywords: | MassUpdate |
| Version: | 2.2.14 | ||
| Target Milestone: | --- | ||
| Hardware: | Sun | ||
| OS: | Solaris | ||
| Attachments: |
ca-bundle.crt
log with failed ssl handshake |
||
Please set the loglevel to debug and provide the output of the error log during such a failed handshake. Does it start working when you reduce your ca-bundle.crt file to just the certificate blocks (It currently contains comments, clear text certificate data and further stuff)? What version of openssl are you using? This could be bug 46952. Can you fetch http://people.apache.org/~jorton/pr46952.diff - then $ patch modules/ssl/ssl_engine_io.c < pr46952.diff and rebuild? (In reply to comment #1) > Please set the loglevel to debug and provide the output of the error log during > such a failed handshake. see attached error_log > Does it start working when you reduce your ca-bundle.crt file to just the > certificate blocks (It currently contains comments, clear text certificate data > and further stuff)? We already tried that before but it makes no difference. > What version of openssl are you using? openssl version used by apache is 0.9.8f Created attachment 24466 [details]
log with failed ssl handshake
(In reply to comment #2) > This could be bug 46952. > > Can you fetch http://people.apache.org/~jorton/pr46952.diff - then > > $ patch modules/ssl/ssl_engine_io.c < pr46952.diff > > and rebuild? patched and rebuilt apache - no difference. Regards There is no difference, when removing the text elements from the ca-bundle.crt file... Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |
Created attachment 24463 [details] ca-bundle.crt When using the client-cert below in your browser (Tryed with IE and Firefox) and the attached ca-bundle.crt in your apache... an SSL Error In Log: [Mon Nov 02 17:10:49 2009] [error] Certificate Verification: Error (20): unable to get local issuer certificate In Firefox an error message containing "ssl_error_bad_cert_alert" When removing (!) the first certificate of the ca-bundle (which has nothing to do with the client certificate) it is possible to authenticate using the client-cert. There are also some other possible changes in the order within ca-bundle with the same effect. The problem was detected in apache 2.2.11... but exists still in 2.2.14.... -----BEGIN CERTIFICATE----- MIIC1jCCAb4CAQIwDQYJKoZIhvcNAQEEBQAwcDEiMCAGA1UEAxMZcG9ydGFsLmxm cnouYXQgQ2xpZW50LUNBMTENMAsGA1UECBMEV2llbjELMAkGA1UEBhMCQVQxHzAd BgkqhkiG9w0BCQEWEGhlbHBkZXNrQGxmcnouYXQxDTALBgNVBAoTBExGUlowHhcN MDgxMDAzMTQ0NDAzWhcNMTMxMDAyMTQ0NDAzWjB2MR4wHAYDVQQDExVDbGllbnQg Q2VydGlmaWNhdGUgMDIxDTALBgNVBAgTBFdpZW4xCzAJBgNVBAYTAkFUMRAwDgYJ KoZIhvcNAQkBFgEuMQ0wCwYDVQQKEwRMRlJaMRcwFQYDVQQLEw5wb3J0YWwubGZy ei5hdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0pF23/iTs1qLxl8gn0wH 01BzHd4eLprbBosy9zvhEmokEuqxZfvl5Ce0F8q7ZqGMFrfRK7ljux6B+Hqh0pDr 2WhssC0sDRzrvya/1IL0QxkGNbPkPk823nn9dYllNu2z8d0T35tLuW/G44xcNFeD Cv2cRMbS9CUAzAz9ocG81K0CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEAuhXs5i1S AOCMNUM78TfAPh0lUIenTJB9n/K5wb/LsrkMF+SbXbE4YtRTBHERTCBys46l660K lJMi1rryNVu+HmKa1SpfMJwPr+EMTLvDKkRghSgtCIGU4L/b05hmU5eFfKPsHXKO a2MNJR23Rmmiv+r+x0gIRz54dek7zqxpCBf8373kzVR7yNLPaaVxRJ5a6Sm6U53w QjZHpaZt8izcv1W7xhFCsV/XCauGFKX/qyGtN9oajtJhmEMdganQVCDsnl5YfpRl sWBr0E3GY4HNRpOm1lFyFqSdnrPriYkypP6gUFs/g92eg4+jiBEku/tVkOMkrBTR kw3B+c6K0T5Eig== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDSkXbf+JOzWovGXyCfTAfTUHMd3h4umtsGizL3O+ESaiQS6rFl ++XkJ7QXyrtmoYwWt9EruWO7HoH4eqHSkOvZaGywLSwNHOu/Jr/UgvRDGQY1s+Q+ Tzbeef11iWU27bPx3RPfm0u5b8bjjFw0V4MK/ZxExtL0JQDMDP2hwbzUrQIDAQAB AoGAAZf4PlmzRHg69pVhudLpfD/vnxo/QDsLzVDgYd6iJXGINFxyW0M8yi1Cv6tZ H725QbLCcoJErvXcJfVHpEBUiJ0ttZuOAQzX5lbAti55QDaV0gw44wbUYuctj5RE DMZNJ/uYs/S4wfrHD67KARb1wYIkRI/eXoFXXQqCV4se9EECQQDucUStIuif1uCq lJXWmoe1/M/vivpePgWISn3VMw2/oPvrGvJjtA7ycH7aD9S4t+kDM0Hkl8DZGygt x9Bmhb03AkEA4hLBjrAOX7AhPrk21e8ODVeFvrR95ONO2K96498LECye2NggGEGg aCe0QfGY7ddHMTxC0DPIF1HUdCyAFcwPOwJAekWdSQeYsLaY2QB+4eC2bQ1qd9UV 1JQLdDt20YhvqW/dH0/fMl+YNpyXgC0UEXFFzP1Q8e8b1nlFnkxTwu8b+wJARHsB /sL916Z2q5VXMv6y9v+oF9h8ujTQ0Xp2c0hBBak+hNkS/8YBXQuJ4t/YP1OS0Ss7 4e2NkuLKxFYmhnPFuQJBAK3P4IP/Slv4GnDKPZwfZ3Hj0DEwnObmfRD698eiWlKV 4btnBUUJ1bkctm7fwnOWwNE5MviAf8sGh2bk20Xbu+M= -----END RSA PRIVATE KEY-----