[Mod_nss-list] Problem configuring Client certificate Authentication
Luis Neves
luisneves at hotmail.com
Thu Sep 2 09:31:04 UTC 2010
In the link provided by Rob
Client-initiated renegotiations disabled in mod_sslUpdated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl
to provide HTTPS service. However, an attack is still possible in
configurations where server-initiated renegotiations are required.
Configurations still affected by the issue are typically where:
Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a <Location> or <Directory> context section, but not in the corresponding <VirtualHost> for the SSL server.Different
cipher suites are required for different parts of the web site. Cipher
suite requirements can be configured per-server or per-directory context
using the SSLCipherSuite directive. Server-initiated renegotiations can be avoided by:
Changing
the site layout so that a client certificate authentication is required
for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.Using
the same cipher suite for the whole site. The highest cipher strength
requirement of all directories and locations should be set in the <VirtualHost> section.
From: luisneves at hotmail.com
To: ttormo at indenova.com; mod_nss-list at redhat.com
Date: Thu, 2 Sep 2010 08:15:45 +0000
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Tomas, Here is the same, and the problem is this: (It happens also in SSL)
SSLVerifyClient fails when inside <Location>
http://www.linode.com/forums/viewtopic.php?t=5115
Will try to post in ssl list as well to see if someone helps on this
Luis
Date: Tue, 31 Aug 2010 11:35:42 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Thank you very much for your help Luis
I changed the directive to <Location> again. I realized I did
really bad copy-paste, cause <Location> directive needs a url (in
this case /files) instead of a directory. So, if I let the
configuration just like before, Apache let me go to the webpage without
asking for the certificate. This was because i didn't request a
location "/var/www/testmodnss/files" (what's more, it doesn't exist).
So I changed location to "/files" and I get the error again...
I also tried all you told me but I still get the error... :(
This is how my configuration looks like now (I didn't put the NSSRenegotiation
off and NSSRequireSafeNegotiation off directives cause
Apache is giving me an error at startup saying that are not recognized
:S)
<VirtualHost *:443>
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
#NSSProtocol All
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
<Location "/files">
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
</Location>
</VirtualHost>
NSSPassPhraseHelper /usr/sbin/nss_pcache
On 31/08/10 11:26, Luis Neves wrote:
or
NSSProtocol SSLv3,TLSv1
Iam unable to test location today as I forgot my card at home......
But I think location has to work, your error seems something related to
a "protocol re-negotiation error".....
Luis
From: luisneves at hotmail.com
To: ttormo at indenova.com
Date: Tue, 31 Aug 2010 09:16:46 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
try this!
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
Date: Tue, 31 Aug 2010 10:41:13 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
No... It didn't work with location neither..
But maybe if I follow your aproach It could work for me as well...
On 31/08/10 10:36, Luis Neves wrote:
But
after fixing "location" it worked??
no, for now I really didnt need that,
I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!
Luis
Date: Tue, 31 Aug 2010 10:17:02 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
<Location>... hehehe sorry
So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?
Thank you very much
On 31/08/10 10:11, Luis Neves wrote:
Hi
Tomas,
Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here
Luis
Date: Mon, 30 Aug 2010 14:24:00 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
Greetings
I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..
I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...
Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake
[Mon Aug 30 14:17:34 2010] [info] Read error -12176
[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?
[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/
[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.
[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)
After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...
Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:
<VirtualHost *:443>
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol All
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
<Directive "/var/www/testmodnss/files/">
AllowOverride all
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
</Location>
</VirtualHost>
NSSPassPhraseHelper /usr/sbin/nss_pcache
Could you please help me?
Thank you very much
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100902/e6cdadeb/attachment.htm>
More information about the Mod_nss-list
mailing list