|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2006
/
2006-02
/
https certificate error
[
https certificate problem / "wsws" ... ]
[
Port number in Host header / "Jacky C.K ... ]
https certificate error
"wsws" <wsws(at)fjca.com.cn> |
2006-02-17 06:16:46 |
[ FULL ]
|
Hi
everyone.
I have a problem with Pound for days,still not solved.
I configure Pound to ask for client certiificae,
my pound configure file is below:
LogLevel 2
Alive 30
ListenHTTPS
Address 192.168.11.8
Port 443
xHTTP 0
WebDAV 0
Client 1
Change30x 1
Cert "/ws/Pound-2.0.1/me.pem"
CAlist "/ws/Pound-2.0.1/fjroot.pem"
VerifyList "/ws/Pound-2.0.1/fjca.pem"
ClientCert 2 2
NoHTTPS11 2
Ciphers "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
Service
# URL ".*"
BackEnd
Address 192.168.11.3
Port 80
Priority 1
End
Session
Type IP
TTL 300
End
End
End
when client -IE ,chose the certificate in certificate selection dialog,
we can now see this line in Pound logfile
BIO_do_handshake with 192.168.1.35 failed:
error:140890B2:SSLroutines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
where ClientCert 2 2 change to Client 0 2 ,ask no certificate ,everything is
OK.
any suggestion ?
openssl is openssl 0.9.8a
Thank!
WANG
2006.2.17
|
|
|
|
|
Re: [Pound Mailing List] https certificate error
Robert Segall <roseg(at)apsis.ch> |
2006-02-17 14:13:05 |
[ FULL ]
|
On Fri, 2006-02-17 at 13:16 +0800, wsws wrote:[...]
Does the client actually have a certificate issued by one of your
allowed CA's? Once you set a CAList, only certificates issued by those
CA's are returned by the client. Check if your browser actually contains
the right certificate (in IE, under Internet Options).
I think you can also set your browser to ask you which certificate it
should return to the server - that allows you to see what is happening.[...]
|
|
|
Re: [Pound Mailing List] https certificate error
Eckard Koch <eckard.koch(at)ekoch.ch> |
2006-02-20 11:51:50 |
[ FULL ]
|
--On Friday, February 17, 2006 13:16:46 +0800 wsws <wsws(at)fjca.com.cn>
wrote:
[...]
I think I'm running here into the same problem trying to use client
certificate
verification with Pound.
Currently, I'm using Pound 2.0.1 on Linux 2.6 with openssl 0.9.7e.
With option ClientCert 1 and ClientCert 2 I get the syslog message:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
Using openssl s_client as the client to connect to Pound I get the
following
output:
$> openssl s_client -host bcch07.int.belleriveconsulting.com -port 443
-showcerts -ssl3 \
-cert e.koch.pem -key e.koch.pem -CAfile
/etc/ssl/certs/ca-certificates.crt -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=CH/O=Bellerive Consulting Ltd./....
verify return:1
depth=0 /C=CH/ST=Zurich/....
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:bad certificate
SSL_connect:failed in SSLv3 read finished A
11948:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1052:SSL alert number 42
11948:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
[...]
certificate.
When I replace Pound by openssl s_server using the same certificate setup I
can
establish a connection. I've also successfully connected directly
to apache2/modssl on the same machine configured with the same certificates
as provided to Pound.
Is there anything I'm missing here? What else can I do to debug the
problem?
Thanks,
Eckard Koch
[...]
|
|
|
Re: [Pound Mailing List] https certificate error
Robert Segall <roseg(at)apsis.ch> |
2006-02-20 15:34:21 |
[ FULL ]
|
On Mon, 2006-02-20 at 11:51 +0100, Eckard Koch wrote:[...]
I don't know about you, but the OP was showing a config file with both
CAlist and VerifyList defined. Remember that Pound verifies client
certificates against the CA certificates in the VerifyList. If the
certificate returned by the client cannot be verified against any of
these CA's then the verification fails.
I suggest you try to configure Pound with ClientCert 3 (ask for client
certificate but do not verify), look which certificate Pound received
from the client and check if it was indeed issued by one of the CA's
Pound knows about (from VerifyList).[...]
|
|
|
Re: [Pound Mailing List] https certificate error
Eckard Koch <eckard.koch(at)ekoch.ch> |
2006-02-20 23:07:47 |
[ FULL ]
|
Am Montag, 20. Februar 2006 15:34 schrieb Robert Segall:[...]
like to accept and a revocation list. I've also stripped the VerifyList
down to the one CA cert used to sign the client certificate. Another
attempt was done with identical CAlist and VerifyList. The problem
remained.
[...]
Did that for Pound-2.0.2 and Pound-1.10. The results are kind of
confusing.
For Pound-1.10 HTTPSHeader 3 delivers the details
of the SSL client certificate as expected in the HTTP Header to
the back-end server. HTTPSHeader 2 and HTTPSHeader 1 fail
with "no certificate returned".
For Pound-2.0.2 and ClientCert 3 the SSL handshake completes
and a SSL session is established (which fails for ClientCert 1 and 2)
but the session is closed immediately with "Bad certificate".
The back-end server is not receiving anything.
s_client output for ClientCert 3:
$> openssl s_client -host radius.dmz.ekoch.ch -port 443 -showcerts -cert \
e.koch.pem -key e.koch.pem\
-CAfile ../server/certs/ca-list.cert -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /C=CH/ST=Zuerich/ ...
verify return:1
depth=1 /C=CH/ST=Zuerich/ ...
verify return:1
depth=0 /C=CH/ST=Zuerich/ ...
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CH/ST=Zuerich/...
i:/C=CH/ST=Zuerich/...
-----BEGIN CERTIFICATE-----
MIICcjCCAdugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJDSDEQ
MA4GA1UECBMHWnVlcmljaDEQMA4GA1UEBxMHWnVlcmljaDERMA8GA1UEChMIZWtv
....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CH/ST=Zuerich/....
issuer=/C=CH/ST=Zuerich/....
---
Acceptable client certificate CA names
/C=CH/O=Bell...
/C=US/ST=DC/L=Washington/O=ABA.ECOM, INC./CN=ABA.ECOM Root
CA/Email=admin(at)digsigtrust.com
...
/DC=CH/DC=EKOCH/...
/C=CH/ST=Zuerich/....
/C=CH/ST=Zuerich/...
---
SSL handshake has read 1856 bytes and written 3709 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: B70D31EA0E42A...
Session-ID-ctx:
Master-Key: D000AB858FCA9FAA...
Key-Arg : None
Start Time: 1140471993
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
Alternatively, I have used Firefox 1.5 with client certificate selection
enabled, so I could control the client certificate sent upon server
request.
I've also checked the same configuration for Debian
package pound-2.0-1 and found the same behavior.
Are there any know limitations related to the CA certificates?
I suppose selfsigned CA certificates are accepted in the
certificate chain?
I would be interested to know what configurations
are known to work (pound, ssl, OS) with client certificate
verification. Any success stories?
Eckard Koch
|
|
|
Re: [Pound Mailing List] https certificate error
"wsws" <wsws(at)fjca.com.cn> |
2006-02-21 01:20:19 |
[ FULL ]
|
Hi:
Yes,For these days,I have experiment many times with Pound2.01,Pound 2.0,etc,
in order to configure Pound to ask for client cerificate.
But fails,all get the same result :
BIO_DO_HANDSHAKE:SSL3_GET_CLIENT_CERTIFICATE:no certificate return.
looking forward to know what configurations
are known to work (pound, ssl, OS) with client certificate verification. Any
success stories?
----- Original Message -----
From: "Eckard Koch" <eckard.koch(at)ekoch.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, February 21, 2006 6:07 AM
Subject: Re: [Pound Mailing List] https certificate error
[...]
|
|
|
Re: [Pound Mailing List] https certificate error
Robert Segall <roseg(at)apsis.ch> |
2006-02-21 12:13:59 |
[ FULL ]
|
On Mon, 2006-02-20 at 23:07 +0100, Eckard Koch wrote:[...]
While I could accept some issues with 2.x, there is something definitely
wrong with your set-up - 1.x is known to work. Please try with a
"standard" (issued by a known authority) client certificate and leave
out CAlist/VerifyList altogether.
[...]
And what have you observed?
[...]
Self-signed is fine for the CA, but then what chain are you talking
about?
[...]
I'd like others to answer as well, but I can confirm that (at least 1.x)
is working fine with this.[...]
|
|
|
Re: [Pound Mailing List] https certificate error
"wsws" <wsws(at)fjca.com.cn> |
2006-02-24 02:09:26 |
[ FULL ]
|
Hi
I have succesfully configure Pound 1.10 to verify client certificate
But Pound2.0 Pound 2.01 failed.
What is difference between them ?
----- Original Message -----
From: "Eckard Koch" <eckard.koch(at)ekoch.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, February 21, 2006 6:07 AM
Subject: Re: [Pound Mailing List] https certificate error
[...]
|
|
|
|
