SSLVerifyClient applies to parent directory

Hi!

First of all: Thanks for your great software, I've used it on several
server and it proved to be very useful.

I have a little problem with the SSLVerifyClient directive on apache
2.2.9 with mod_ssl compiled from source on debian etch. I have the
following directory layout:

/usr/local/htdocs/directory/subdirectory

and the following configuration options (besides the defaults) in
httpd.conf:

Listen 443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
        DocumentRoot "/usr/local/htdocs"
</VirtualHost>

<Directory /usr/local/htdocs/directory/subdirectory>
        SSLVerifyClient require
        SSLVerifyDepth 1
</Directory>

The problem is that apache denies access to:
https//MYSERVER/directory

as long as I don't present a valid client certificate.

People on freenode #apache were not able to help, therefore I'm asking
here before filing a bug report.

Thanks in advance,
        Florian

--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

Florian Hackenberger a écrit : Maybe try this:

Listen 443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
        DocumentRoot "/usr/local/htdocs"

        <Location /directory/subdirectory>
        SSLVerifyClient require
                SSLVerifyDepth 1
        </Location>
</VirtualHost>

--
Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet.
Gilles CUESTA - Logiciels Libres
69139920

On Thursday 26 June 2008, Cuesta Gilles wrote:
Unfortunately it leads to the same result, but thanks for the
suggestion.

Cheers,
        Florian
--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
> <Directory /usr/local/htdocs/directory/subdirectory>
>         SSLVerifyClient require
>         SSLVerifyDepth 1
> </Directory>
>
> The problem is that apache denies access to:
> https//MYSERVER/directory

It denies access for what type of request, a directory listing?

joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Yes


--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

Florian Hackenberger a écrit : Regarding mod_ssl:
"In per-server context it applies to the client authentication process
used in the standard SSL handshake when a connection is established. "
"In per-directory context it forces a SSL renegotation with the
reconfigured client verification level after the HTTP request was read
but before the HTTP response is sent."

So maybe:

Listen 443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
        DocumentRoot "/usr/local/htdocs"

        <Directory /usr/local/htdocs/directory/subdirectory>
        SSLVerifyClient require
                SSLVerifyDepth 1
        </Directory>
</VirtualHost>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Thursday 26 June 2008, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question. Accessing a
specific file works, but getting the directory listing fails. Would
that be a result of apache trying to access the protected directory in
oder to read attributes for the listing, causing the certificate
verification to kick in?

Cheers,
        Florian

--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

Florian Hackenberger a écrit : It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.

--
Beaucoup d'hommes ont recherché la boîte de pandore à travers le monde, pendant ce temp Chuck Norris l'utilisait pour ranger ses chaussures.
Gilles CUESTA - Logiciels Libres
69139920

On Friday 27 June 2008, Cuesta Gilles wrote:
> It's more an apache specific question; try setting
> Options +Indexes
> in your vhost, allowing directory listing.
Thanks, but that is certainly not the problem, as apache creates a
listing as soon as I remove 'SSLVerifyClient require'.

Cheers,
        Florian

--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

Florian Hackenberger a écrit :
For your issue, two questions:
- is a VerifyDepth 1 enough for verification chaining ?
- No default VerifyClient by default for VirtualHost
Try adding:

SSLVerifyClient none

or

<Directory /usr/local/htdocs>
        SSLVerifyClient none
</Directory>

Listen 443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
        DocumentRoot "/usr/local/htdocs"

        SSLVerifyClient none

        <Directory /usr/local/htdocs/directory/subdirectory>
        SSLVerifyClient require
                SSLVerifyDepth 1
        </Directory>
</VirtualHost>

--
Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui qui à réalisé les traductions dans l'intégralité des épisodes !
Gilles CUESTA - Logiciels Libres
69139920

On Friday 27 June 2008, Cuesta Gilles wrote:
> For your issue, two questions:
> - is a VerifyDepth 1 enough for verification chaining ?
It is, however that is not relevant for the problem, because apache
should not request a client certificate in the first place.

> - No default VerifyClient by default for VirtualHost
> Try adding:
<snipped/>

I tried your suggestion, but it does not help unfortunately.

Cheers,
        Florian

--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Florian Hackenberger wrote:
> > On Thursday 26 June 2008, Joe Orton wrote:
> > It denies access for what type of request, a directory listing?
> Ok, I think I understood the intention of your question. Accessing a
> specific file works, but getting the directory listing fails. Would
> that be a result of apache trying to access the protected directory in
> oder to read attributes for the listing, causing the certificate
> verification to kick in?

Yup.  Changing the "SSLVerifyClient require" to:

SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

might work around it; you'll still get a client cert request for the
subrequest, but it should end in a 403 rather than terminating the SSL
connection.  (That will cause the protected directory to disappear from
the directory listing, unless you use "IndexOptions ShowForbidden")

Test this carefully though!

joe


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Friday 27 June 2008, Joe Orton wrote:
> Yup.  Changing the "SSLVerifyClient require" to:
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

Thanks a lot! The workaround worked ;-). Please consider this issue
solved.

I have another question: Has anyone successfully established a
connection to an apache/mod_ssl server with client authentication using
a java client? My client (code below) generates the following log
(exception at the end) upon execution:

*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 71 CC D3 DC AF 35   A3 A2 70 1C E5 9A 06
00  ..q....5..p.....
0010: 1F 8B 18 05 6E 55 69 4E   44 18 D2 E5 0A 57 FB
D4  ....nUiND....W..
0020: 71 62 17 14 57 2A FE 8F   4D 5A CF 7A 82 09 31 8C  
qb..W*..MZ.z..1.
CONNECTION KEYGEN:
Client Nonce:
0000: 48 64 A7 92 45 15 E8 74   E3 75 A7 BD F7 E3 B8 82  
Hd..E..t.u......
0010: 94 D4 1E 75 ED 3D D3 41   0E 5F BA 12 ED 47 E6
B1  ...u.=.A._...G..
Server Nonce:
0000: 48 64 A7 92 B5 6D 56 62   6D E3 7B 67 C7 08 78 13  
Hd...mVbm..g..x.
0010: 45 47 5A 93 18 62 D4 E5   75 25 A1 65 F8 DD 85 86  
EGZ..b..u%.e....
Master Secret:
0000: 0C 65 EA 1D A6 E6 FC 3C   AD AA 34 04 C6 82 81
50  .e.....<..4....P
0010: 07 78 38 FC B6 04 77 3E   7E 90 BC 24 A9 D3 B1 86  .x8...w>...
$....
0020: F9 99 26 1A FD 08 9A C3   E0 32 43 D0 A1 59 21 5C  ..&......2C..Y!
\
Client MAC write Secret:
0000: D0 7D F1 90 58 AF 0B 43   F7 02 39 0C 0C B2 87
C3  ....X..C..9.....
Server MAC write Secret:
0000: 5C AD 45 74 3D 58 96 FB   41 37 72 99 12 D5 BD 3A  
\.Et=X..A7r....:
Client write key:
0000: 38 AE 1A 7E 63 26 C7 7F   9D E2 74 9E D2 12 55 C9  
8...c&....t...U.
Server write key:
0000: 7E 57 BF 54 A7 74 D8 72   72 AC 18 B8 5F 2D F6
06  .W.T.t.rr..._-..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data:  { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
        at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
        at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
        at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
        at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)
        at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
        at
java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
        at java.io.BufferedInputStream.read1
(BufferedInputStream.java:258)
        at
java.io.BufferedInputStream.read(BufferedInputStream.java:317)
        at
sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
        at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
        at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
        at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000)
        at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
        at java.net.URL.openStream(URL.java:1009)
        at URLClient.main(URLClient.java:17)


The server logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?

Has someone experience with java client verification or can someone
formulate an educated guess what the problem could be? I have the
cacert root certificate imported at the server side
(SSLCACertificateFile), as well as the client side (within the trust
store). The server, as well as the client certificate are issued by
cacert. The server certificate is specified using SSLCertificateFile
within the VirtualHost and the client certificate is stored within the
key store. I can establish an https connection to the same host without
client authentication, which leads to the assumption that the server
certificate ca nbe verified by the java client.
        I have tried to find answers to the problem using google, but none were
useful for the problem at hand.

Cheers,
        Florian



--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

On Friday 27 June 2008, Florian Hackenberger wrote:
> I have another question: Has anyone successfully established a
> connection to an apache/mod_ssl server with client authentication
> using a java client? My client (code below) generates the following
> log (exception at the end) upon execution:

Sorry, please scrap my posting. I made an embarrassing mistake: Instead
of exporting the client certificate including the public/private
keypair from the browser and importing that into the keystore, I
imported the certificate only, without the public/private keypair...

Thanks for your help once again!
        Florian

--
DI Florian Hackenberger
florian@...
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...