[Mod_nss-list] Problem configuring Client certificate Authentication

Luis Neves luisneves at hotmail.com
Tue Aug 31 08:57:27 UTC 2010 

I dumb test:

restart apache with /etc/ini.d/httpd restart, close and open the client browser and try again
just to be sure
 

Date: Tue, 31 Aug 2010 10:41:13 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate	Authentication






  


No... It didn't work with location neither..



But maybe if I follow your aproach It could work for me as well...







On 31/08/10 10:36, Luis Neves wrote:

  But
after fixing "location"  it worked??

  

no, for now I really didnt need that, 

I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!

  

Luis

  

  Date: Tue, 31 Aug 2010 10:17:02 +0200

From: ttormo at indenova.com

CC: mod_nss-list at redhat.com

Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication

  

  
  
Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
<Location>... hehehe sorry

  

So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?

  

Thank you very much

  

  

  

On 31/08/10 10:11, Luis Neves wrote:
  
    Hi
Tomas,

    

Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here

    

Luis

    

    

    

    Date: Mon, 30 Aug 2010 14:24:00 +0200

From: ttormo at indenova.com

To: mod_nss-list at redhat.com

Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication

    

Greetings

    

I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..

    

I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...

    

Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake

    [Mon Aug 30 14:17:34 2010] [info] Read error -12176

[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?

[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/

[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.

[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)

    

After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...

    

Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:

    

    

    

    <VirtualHost *:443>

    

    ServerName amsterdam

    

    LogLevel debug

    ErrorLog /var/log/apache2/testmodnss/error.log

    CustomLog /var/log/apache2/testmodnss/access.log combined

    DocumentRoot /var/www/testmodnss

    

    # ssl

    NSSEngine on

    RewriteEngine on

NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

    

  NSSProtocol All

    

## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates

NSSCertificateDatabase /etc/apache2/certs/nss/

    

NSSNickName Server-Cert

    

    

# ssl client

    

    <Directive "/var/www/testmodnss/files/">

    

        AllowOverride all

        NSSVerifyClient require

        NSSOptions +ExportCertData

        NSSOptions +StdEnvVars

    

    </Location>

    

</VirtualHost>

    

NSSPassPhraseHelper /usr/sbin/nss_pcache

    

    

    

Could you please help me?

    

Thank you very much

    

    

    -- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
  
    

_______________________________________________
Mod_nss-list mailing list
    Mod_nss-list at redhat.com
    https://www.redhat.com/mailman/listinfo/mod_nss-list
  
  

  

  -- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
  
  

_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 




-- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php




_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100831/c2c94079/attachment.htm>

More information about the Mod_nss-list mailing list