/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-08 / Need help with Client Certificate Validation (Pound v2.1)

[ << ] [ >> ]

[ Strange Results In Logs / zope(at)2012.vi ] [ OpenBSD 3.9 Pound 2.1 small question / Simon ... ]

Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-16 00:25:22 [ FULL ]
Hi everyone,

 

I'm trying to get Client Certificate Validation working with Pound v2.1
but it doesn't seem to like me.

 

Here's my pound configuration file...

 

ListenHTTPS

  Address 1.12.123.44

  Port 443

  Cert "/usr/local/etc/server_cert.pem"

  ClientCert 2 9

  CAlist "/usr/local/etc/calist.pem"

  VerifyList "/usr/local/etc/vertifylist.pem"

End

#

LogLevel 2

#

Service

  Backend

    Address 1.12.123.44

    Port 8080

    TimeOut 360

  End

  Session

    Type BASIC

    TTL 36000

  End

End

 

For the certificates, I'm using the following...

*	Server certificate

	*	Self signed certificate created using openssl

*	Certificate Authority

	*	Created a CA using openssl

*	Client certificate 

	*	Created by openssl and signed using the CA I previously
created

 

The CAlist file contains the CA I created, which should be correct.

 

The VerifyList file contains the CA I created. This file may be wrong as
the man page mentions it should also contain the CRL, but I'm not
exactly sure what this is.

 

I'm using Firefox as my test browser which has the client certificate
installed in pkcs12 format. Btw, I used openssl to convert the client
certificate into pkcs12 format.

 

When I browse to the server URL with ClientCert set to "3 9", everything
works fine. The server asks for a client certificate and I select the
certificate I installed from the list and the connection goes through -
makes sense as no client certificate validation is occurring yet.

 

When I change the ClientCert value to "2 9" then it fails. The server
still asks for a client certificate, and I select my imported
certificate but the connection fails after that and I get the error
message...

"Could not establish an encrypted connection because your certificate
was rejected by <server-name>. Error Code: -12271"

 

Something else I've noticed is that I don't seem to get a lot of logging
output. If the connection goes through then I see the GET request in the
log ( E.g. Aug 17 23:29:57 <server-name> pound: 1.12.123.44 GET
/test-jaxrpc/test HTTP/1.1 - HTTP/1.1 200 OK (:8080) ), but that's all.
If the connection fails (i.e. validation was turned on), then I don't
see anything in the log. Is there a way for me to get more logging
details to show up in the log?

 

As far as I can tell, I have a client certificate which is signed by the
CA in my CAlist and VerifyList files and thus I think it should work,
but it doesn't and the lack of logging details is making it hard for me
to see what's going on.

 

Any assistance in getting this working would be greatly appreciated.

 

Many thanks,

Sarah
Attachments:  
text.html text/html 12791 Bytes

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-20 22:08:26 [ FULL ]
Hi everyone,

I'm still stuck on this, so I'm really hoping that someone can offer me ideas
of things to try to either get it working or to figure out what's going wrong.

Many thanks,
Sarah 

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 16 August 2006 10:25 a.m.
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Need help with Client Certificate Validation
(Pound v2.1)

Hi everyone,

I'm trying to get Client Certificate Validation working with Pound v2.1
but it doesn't seem to like me.

Here's my pound configuration file...

ListenHTTPS
  Address 1.12.123.44
  Port 443
  Cert "/usr/local/etc/server_cert.pem"
  ClientCert 2 9
  CAlist "/usr/local/etc/calist.pem"
  VerifyList "/usr/local/etc/vertifylist.pem"
End
#
LogLevel 2
#
Service
  Backend
    Address 1.12.123.44
    Port 8080
    TimeOut 360
  End
  Session
    Type BASIC
    TTL 36000
  End
End
 
For the certificates, I'm using the following...
*	Server certificate
	*	Self signed certificate created using openssl
*	Certificate Authority
	*	Created a CA using openssl
*	Client certificate 
	*	Created by openssl and signed using the CA I previously
created
 
The CAlist file contains the CA I created, which should be correct.
 
The VerifyList file contains the CA I created. This file may be wrong as
the man page mentions it should also contain the CRL, but I'm not
exactly sure what this is.
 
I'm using Firefox as my test browser which has the client certificate
installed in pkcs12 format. Btw, I used openssl to convert the client
certificate into pkcs12 format.
 
When I browse to the server URL with ClientCert set to "3 9", everything
works fine. The server asks for a client certificate and I select the
certificate I installed from the list and the connection goes through -
makes sense as no client certificate validation is occurring yet.
 
When I change the ClientCert value to "2 9" then it fails. The server
still asks for a client certificate, and I select my imported
certificate but the connection fails after that and I get the error
message...

"Could not establish an encrypted connection because your certificate
was rejected by <server-name>. Error Code: -12271"

Something else I've noticed is that I don't seem to get a lot of logging
output. If the connection goes through then I see the GET request in the
log ( E.g. Aug 17 23:29:57 <server-name> pound: 1.12.123.44 GET
/test-jaxrpc/test HTTP/1.1 - HTTP/1.1 200 OK (:8080) ), but that's all.
If the connection fails (i.e. validation was turned on), then I don't
see anything in the log. Is there a way for me to get more logging
details to show up in the log?
 
As far as I can tell, I have a client certificate which is signed by the
CA in my CAlist and VerifyList files and thus I think it should work,
but it doesn't and the lack of logging details is making it hard for me
to see what's going on.
 
Any assistance in getting this working would be greatly appreciated.
 
Many thanks,
Sarah
[...]
Attachments:  
text.html text/html 4647 Bytes

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-22 00:35:40 [ FULL ]
Hello again,

As I was getting no where trying to use Pound v2.1, I decided to try the
setup using Pound v1.10.

My new pound configuration file is as follows...

ListenHTTPS 1.12.123.44,443 /usr/local/etc/server_cert.pem
#
HTTPSHeaders 3 ""
CAlist "/usr/local/etc/calist.pem"
VerifyList "/usr/local/etc/vertifylist.pem" 9
#
LogLevel 2
RewriteRedirect 1
#
URLGroup ".*"
  Backend 101.12.123.44,443,3
  Session BASIC 36000
EndGroup

When I try to start Pound v1.10 with this configuration file, I get the
follow error in the log file...
	pound: SSL_load_client_CA_file failed - aborted

I've confirmed that the CAlist file location
("/usr/local/etc/calist.pem") is correct and it contains the CA which I
generated using the following SSL command...
	Openssl req -out ca.pem -new x509
This command then prompted me to enter a passphrase, country, state,
city, company, unit, common name and email. I entered data for all of
these, except the email, and as far as I know none of them have any
special technical requirements. 
E.g. the common name doesn't have to match the server domain name or
anything like that.

I then copied the contents of ca.pem and put it into a CAlist file such
that the CAlist file looks like this...
-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAOi8HT1VLwYTMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
<etc>
Qc7wVKj907YSnNGq9/Xls5xaUjESHCHY5ggSo8ZeMJM=
-----END CERTIFICATE-----

Can anyone see what I might have done wrong, or things I can try to
figure out where the problem is? Any help would be greatly appreciated
as currently I'm a bit lost on what to try next.

Many thanks in advance,

Sarah


-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Monday, 21 August 2006 8:08 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Hi everyone,

I'm still stuck on this, so I'm really hoping that someone can offer me
ideas of things to try to either get it working or to figure out what's
going wrong.

Many thanks,
Sarah 

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 16 August 2006 10:25 a.m.
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Hi everyone,

I'm trying to get Client Certificate Validation working with Pound v2.1
but it doesn't seem to like me.

Here's my pound configuration file...

ListenHTTPS
  Address 1.12.123.44
  Port 443
  Cert "/usr/local/etc/server_cert.pem"
  ClientCert 2 9
  CAlist "/usr/local/etc/calist.pem"
  VerifyList "/usr/local/etc/vertifylist.pem"
End
#
LogLevel 2
#
Service
  Backend
    Address 1.12.123.44
    Port 8080
    TimeOut 360
  End
  Session
    Type BASIC
    TTL 36000
  End
End
 
For the certificates, I'm using the following...
*	Server certificate
	*	Self signed certificate created using openssl
*	Certificate Authority
	*	Created a CA using openssl
*	Client certificate 
	*	Created by openssl and signed using the CA I previously
created
 
The CAlist file contains the CA I created, which should be correct.
 
The VerifyList file contains the CA I created. This file may be wrong as
the man page mentions it should also contain the CRL, but I'm not
exactly sure what this is.
 
I'm using Firefox as my test browser which has the client certificate
installed in pkcs12 format. Btw, I used openssl to convert the client
certificate into pkcs12 format.
 
When I browse to the server URL with ClientCert set to "3 9", everything
works fine. The server asks for a client certificate and I select the
certificate I installed from the list and the connection goes through -
makes sense as no client certificate validation is occurring yet.
 
When I change the ClientCert value to "2 9" then it fails. The server
still asks for a client certificate, and I select my imported
certificate but the connection fails after that and I get the error
message...

"Could not establish an encrypted connection because your certificate
was rejected by <server-name>. Error Code: -12271"

Something else I've noticed is that I don't seem to get a lot of logging
output. If the connection goes through then I see the GET request in the
log ( E.g. Aug 17 23:29:57 <server-name> pound: 1.12.123.44 GET
/test-jaxrpc/test HTTP/1.1 - HTTP/1.1 200 OK (:8080) ), but that's all.
If the connection fails (i.e. validation was turned on), then I don't
see anything in the log. Is there a way for me to get more logging
details to show up in the log?
 
As far as I can tell, I have a client certificate which is signed by the
CA in my CAlist and VerifyList files and thus I think it should work,
but it doesn't and the lack of logging details is making it hard for me
to see what's going on.
 
Any assistance in getting this working would be greatly appreciated.
 
Many thanks,
Sarah
[...]

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-22 00:52:37 [ FULL ]
Sorry, just a minor correction to my openssl command to generate the CA.
It should read...

openssl req -out ca.pem -new -x509

Regards,
Sarah

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Tuesday, 22 August 2006 10:36 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Hello again,

As I was getting no where trying to use Pound v2.1, I decided to try the
setup using Pound v1.10.

My new pound configuration file is as follows...

ListenHTTPS 1.12.123.44,443 /usr/local/etc/server_cert.pem
#
HTTPSHeaders 3 ""
CAlist "/usr/local/etc/calist.pem"
VerifyList "/usr/local/etc/vertifylist.pem" 9
#
LogLevel 2
RewriteRedirect 1
#
URLGroup ".*"
  Backend 101.12.123.44,443,3
  Session BASIC 36000
EndGroup

When I try to start Pound v1.10 with this configuration file, I get the
follow error in the log file...
	pound: SSL_load_client_CA_file failed - aborted

I've confirmed that the CAlist file location
("/usr/local/etc/calist.pem") is correct and it contains the CA which I
generated using the following SSL command...
	Openssl req -out ca.pem -new x509
This command then prompted me to enter a passphrase, country, state,
city, company, unit, common name and email. I entered data for all of
these, except the email, and as far as I know none of them have any
special technical requirements. 
E.g. the common name doesn't have to match the server domain name or
anything like that.

I then copied the contents of ca.pem and put it into a CAlist file such
that the CAlist file looks like this...
-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAOi8HT1VLwYTMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
<etc>
Qc7wVKj907YSnNGq9/Xls5xaUjESHCHY5ggSo8ZeMJM-----END CERTIFICATE-----

Can anyone see what I might have done wrong, or things I can try to
figure out where the problem is? Any help would be greatly appreciated
as currently I'm a bit lost on what to try next.

Many thanks in advance,

Sarah


-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Monday, 21 August 2006 8:08 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Hi everyone,

I'm still stuck on this, so I'm really hoping that someone can offer me
ideas of things to try to either get it working or to figure out what's
going wrong.

Many thanks,
Sarah 

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 16 August 2006 10:25 a.m.
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Hi everyone,

I'm trying to get Client Certificate Validation working with Pound v2.1
but it doesn't seem to like me.

Here's my pound configuration file...

ListenHTTPS
  Address 1.12.123.44
  Port 443
  Cert "/usr/local/etc/server_cert.pem"
  ClientCert 2 9
  CAlist "/usr/local/etc/calist.pem"
  VerifyList "/usr/local/etc/vertifylist.pem"
End
#
LogLevel 2
#
Service
  Backend
    Address 1.12.123.44
    Port 8080
    TimeOut 360
  End
  Session
    Type BASIC
    TTL 36000
  End
End
 
For the certificates, I'm using the following...
*	Server certificate
	*	Self signed certificate created using openssl
*	Certificate Authority
	*	Created a CA using openssl
*	Client certificate 
	*	Created by openssl and signed using the CA I previously
created
 
The CAlist file contains the CA I created, which should be correct.
 
The VerifyList file contains the CA I created. This file may be wrong as
the man page mentions it should also contain the CRL, but I'm not
exactly sure what this is.
 
I'm using Firefox as my test browser which has the client certificate
installed in pkcs12 format. Btw, I used openssl to convert the client
certificate into pkcs12 format.
 
When I browse to the server URL with ClientCert set to "3 9", everything
works fine. The server asks for a client certificate and I select the
certificate I installed from the list and the connection goes through -
makes sense as no client certificate validation is occurring yet.
 
When I change the ClientCert value to "2 9" then it fails. The server
still asks for a client certificate, and I select my imported
certificate but the connection fails after that and I get the error
message...

"Could not establish an encrypted connection because your certificate
was rejected by <server-name>. Error Code: -12271"

Something else I've noticed is that I don't seem to get a lot of logging
output. If the connection goes through then I see the GET request in the
log ( E.g. Aug 17 23:29:57 <server-name> pound: 1.12.123.44 GET
/test-jaxrpc/test HTTP/1.1 - HTTP/1.1 200 OK (:8080) ), but that's all.
If the connection fails (i.e. validation was turned on), then I don't
see anything in the log. Is there a way for me to get more logging
details to show up in the log?
 
As far as I can tell, I have a client certificate which is signed by the
CA in my CAlist and VerifyList files and thus I think it should work,
but it doesn't and the lack of logging details is making it hard for me
to see what's going on.
 
Any assistance in getting this working would be greatly appreciated.
 
Many thanks,
Sarah
[...]

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
Robert Segall <roseg(at)apsis.ch>
2006-08-22 18:50:12 [ FULL ]
On Tue, 2006-08-22 at 10:35 +1200, Sarah Brennan wrote:[...]

Are you sure you understand the difference between CAlist and
VerifyList? I think you may be mixing the two.[...]

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-22 21:30:58 [ FULL ]
I may very well be. I am new to setting up Client Certificate validation
so I may be getting the contents of the CAlist.pem and VertifyList.pem
files incorrect.

What should they contain?

Sarah

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Wednesday, 23 August 2006 4:50 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

On Tue, 2006-08-22 at 10:35 +1200, Sarah Brennan wrote:[...]
the[...]
the[...]
I[...]

Are you sure you understand the difference between CAlist and
VerifyList? I think you may be mixing the two.[...]

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-22 21:58:58 [ FULL ]
Btw, some extra information which may be useful.

I used the following page
(http://dsd.lbl.gov/~boverhof/openssl_certs.html)
as a guide for using
openssl to generate a CA and a Client certificate which is signed with
that CA.

Sarah

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 23 August 2006 7:31 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

I may very well be. I am new to setting up Client Certificate validation
so I may be getting the contents of the CAlist.pem and VertifyList.pem
files incorrect.

What should they contain?

Sarah

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Wednesday, 23 August 2006 4:50 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

On Tue, 2006-08-22 at 10:35 +1200, Sarah Brennan wrote:[...]
the[...]
the[...]
I[...]

Are you sure you understand the difference between CAlist and
VerifyList? I think you may be mixing the two.[...]

RE: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
"Sarah Brennan" <sarah.brennan(at)navman.com>
2006-08-23 00:28:25 [ FULL ]
Ok, I've done more searching and playing around with this, but I still
can't seem to get it to work. 

Searching on the web found a new set of instructions for generating a CA
which use the CA.sh script provided by openssl, which seemed a slightly
more reliable method. The instructions I found are at:
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

I followed those instructions to generate a local CA and then a Client
Certificate signed with that CA. Looking at the cacert.pem file
generated by this method it has a lot of extra information at the top of
the file as well as the actual certificate component.

Here's a sample of the first 10 or so lines from top of the new
cacert.pem file...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NZ, ST=Auckland, O=Navman, OU=PCN, CN=Activation
Development CA
        Validity
            Not Before: Aug 22 21:44:49 2006 GMT
            Not After : Aug 21 21:44:49 2009 GMT
        Subject: C=NZ, ST=Auckland, O=Navman, OU=PCN, CN=Activation
Development CA
        Subject Public Key Info:
<End of sample>

I tried using the contents of this new cacert.pem file in my calist.pem,
but Pound v1.10 still wouldn't start (I get the same error "pound:
SSL_load_client_CA_file failed - aborted"). I also tried variations on
this file, but nothing I tried worked. Possibly I need to do something
with the private key for the CA (cakey.pem) but I'm not sure. 

Now, I'm sure my lack of experience with CA files is showing here but
what I think I need to help me get this working is...
(1) An example calist.pem and vertifylist.pem files so I can see what
format they are supposed to be in
(2) Either confirmation that the set of instructions I'm following
(http://www.octaldream.com/~scottm/talks/ssl/opensslca.html)
are
correct, or a link to a set of instructions which will allow me to
generated the required files.

Once again, thank you for your time and assistance in helping me to get
this working.

Regards,
Sarah

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 23 August 2006 7:59 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

Btw, some extra information which may be useful.

I used the following page
(http://dsd.lbl.gov/~boverhof/openssl_certs.html)
as a guide for using
openssl to generate a CA and a Client certificate which is signed with
that CA.

Sarah

-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan(at)navman.com] 
Sent: Wednesday, 23 August 2006 7:31 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

I may very well be. I am new to setting up Client Certificate validation
so I may be getting the contents of the CAlist.pem and VertifyList.pem
files incorrect.

What should they contain?

Sarah

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Wednesday, 23 August 2006 4:50 a.m.
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Need help with Client Certificate
Validation (Pound v2.1)

On Tue, 2006-08-22 at 10:35 +1200, Sarah Brennan wrote:[...]
the[...]
the[...]
I[...]

Are you sure you understand the difference between CAlist and
VerifyList? I think you may be mixing the two.[...]

MailBoxer