[Mod_nss-list] Problem configuring Client certificate Authentication

Thu Sep 2 09:31:04 UTC 2010

In the link provided by Rob

 Client-initiated renegotiations disabled in mod_sslUpdated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl
 to provide HTTPS service. However, an attack is still possible in 
configurations where server-initiated renegotiations are required.
 Configurations still affected by the issue are typically where:
Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a <Location> or <Directory> context section, but not in the corresponding <VirtualHost> for the SSL server.Different
 cipher suites are required for different parts of the web site. Cipher 
suite requirements can be configured per-server or per-directory context
 using the SSLCipherSuite directive. Server-initiated renegotiations can be avoided by:
Changing
 the site layout so that a client certificate authentication is required
 for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.Using
 the same cipher suite for the whole site. The highest cipher strength 
requirement of all directories and locations should be set in the <VirtualHost> section.

From: luisneves at hotmail.com
To: ttormo at indenova.com; mod_nss-list at redhat.com
Date: Thu, 2 Sep 2010 08:15:45 +0000
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication

Tomas, Here is the same, and the problem is this: (It happens also in SSL)

SSLVerifyClient fails when inside <Location>
http://www.linode.com/forums/viewtopic.php?t=5115

Will try to post in ssl list as well to see if someone helps on this
Luis

Date: Tue, 31 Aug 2010 11:35:42 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate	Authentication

Thank you very much for your help Luis

I changed the directive to <Location> again. I realized I did
really bad copy-paste, cause <Location> directive needs a url (in
this case /files) instead of a directory. So, if I let the
configuration just like before, Apache let me go to the webpage without
asking for the certificate. This was because i didn't request a
location "/var/www/testmodnss/files" (what's more, it doesn't exist).
So I changed location to "/files" and I get the error again...

I also tried all you told me but I still get the error... :(

This is how my configuration looks like now (I didn't put the NSSRenegotiation
off and NSSRequireSafeNegotiation off directives cause
Apache is giving me an error at startup saying that are not recognized
:S)

<VirtualHost *:443>

ServerName amsterdam

LogLevel debug

ErrorLog /var/log/apache2/testmodnss/error.log

CustomLog /var/log/apache2/testmodnss/access.log combined

DocumentRoot /var/www/testmodnss

# ssl

NSSEngine on

RewriteEngine on

NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

#NSSProtocol All

NSSProtocol SSLv3,TLSv1

## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates

NSSCertificateDatabase /etc/apache2/certs/nss/

NSSNickName Server-Cert

# ssl client

<Location "/files">

    NSSVerifyClient require

    NSSOptions +ExportCertData

    NSSOptions +StdEnvVars

</Location>

</VirtualHost>

NSSPassPhraseHelper /usr/sbin/nss_pcache

On 31/08/10 11:26, Luis Neves wrote:

  or

NSSProtocol SSLv3,TLSv1

Iam unable to test location today as I forgot my card at home......

But I think location has to work, your error seems something related to
a "protocol re-negotiation error".....

Luis

  From: luisneves at hotmail.com

To: ttormo at indenova.com

Date: Tue, 31 Aug 2010 09:16:46 +0000

CC: mod_nss-list at redhat.com

Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication

try this!

# Only renegotiate if the peer's hello bears the TLS renegotiation_info

# extension. Default off.

NSSRenegotiation off

# Peer must send Signaling Cipher Suite Value (SCSV) or

# Renegotiation Info (RI) extension in ALL handshakes.  Default: off

NSSRequireSafeNegotiation off

  Date: Tue, 31 Aug 2010 10:41:13 +0200

From: ttormo at indenova.com

CC: mod_nss-list at redhat.com

Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication

No... It didn't work with location neither..

But maybe if I follow your aproach It could work for me as well...

On 31/08/10 10:36, Luis Neves wrote:

    But
after fixing "location"  it worked??

no, for now I really didnt need that, 

I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!

Luis

    Date: Tue, 31 Aug 2010 10:17:02 +0200

From: ttormo at indenova.com

CC: mod_nss-list at redhat.com

Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication

Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
<Location>... hehehe sorry

So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?

Thank you very much

On 31/08/10 10:11, Luis Neves wrote:

      Hi
Tomas,

Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here

Luis

      Date: Mon, 30 Aug 2010 14:24:00 +0200

From: ttormo at indenova.com

To: mod_nss-list at redhat.com

Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication

Greetings

I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..

I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...

Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake

      [Mon Aug 30 14:17:34 2010] [info] Read error -12176

[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?

[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/

[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.

[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)

After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...

Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:

      <VirtualHost *:443>

    ServerName amsterdam

    LogLevel debug

    ErrorLog /var/log/apache2/testmodnss/error.log

    CustomLog /var/log/apache2/testmodnss/access.log combined

    DocumentRoot /var/www/testmodnss

    # ssl

    NSSEngine on

    RewriteEngine on

NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

  NSSProtocol All

## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates

NSSCertificateDatabase /etc/apache2/certs/nss/

NSSNickName Server-Cert

# ssl client

    <Directive "/var/www/testmodnss/files/">

        AllowOverride all

        NSSVerifyClient require

        NSSOptions +ExportCertData

        NSSOptions +StdEnvVars

    </Location>

</VirtualHost>

NSSPassPhraseHelper /usr/sbin/nss_pcache

Could you please help me?

Thank you very much

      -- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list

    -- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

_______________________________________________
Mod_nss-list mailing list
    Mod_nss-list at redhat.com
    https://www.redhat.com/mailman/listinfo/mod_nss-list

  -- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 

_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 

-- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 		 	   		  

_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100902/e6cdadeb/attachment.htm>