Topic: Apache 2.4.3 not validating ssl trust chain properly

[jmendezsarabia]

Hi all,

I am in the process of upgrading from apache 2.2.21 to apache 2.4.3. I'm using apache lounge's compiled 2.4.3 by the way. I'm working on a windows 7 SP1 64 bit workstation.

My old 2.2.21 was configured to use ssl with client pki authentication. When I configure 2.4.3 with the ssl options and move the CAs, private key and server certificate from my old 2.2.21 instance I get the following error. Is anybody else having this problem? Or does someone have any suggestions as to why I keep getting these errors? My requests are not being forwarded to my tomcat instance.

[Wed Feb 20 18:42:51.017019 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51252] AH01964: Connection to child 63 established (server localhost:443)
[Wed Feb 20 18:42:51.018019 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1939): [client ::1:51252] AH02043: SSL virtual host for servername localhost found
[Wed Feb 20 18:42:51.119029 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_io.c(1172): (70014)End of file found: [client ::1:51252] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Feb 20 18:42:51.119029 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51252] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)
[Wed Feb 20 18:42:54.006318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH01964: Connection to child 63 established (server localhost:443)
[Wed Feb 20 18:42:54.006318 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1939): [client ::1:51257] AH02043: SSL virtual host for servername localhost found
[Wed Feb 20 18:42:54.008318 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1411): [client ::1:51257] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH02008: SSL library error 1 in handshake (server localhost:443)
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)

My PKI certificate's chain is:
Certificate Manager
Subordinate Certificate Manager
test certificate

I've verified my PKI agains the CAs I have and the trust chain is validated with openssl.

These are my httpd-ssl.conf directives:

Listen 443 https

SSLProtocol all

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:C:/apache-test/httpd-2.4.3-win64/Apache24/logs/ssl_gcache_data"
SSLSessionCacheTimeout 1800

<VirtualHost _default_:443>

RewriteEngine On
RewriteOptions Inherit

SSLVerifyClient require
SSLVerifyDepth 3

DocumentRoot "C:/apache-test/httpd-2.4.3-win64/Apache24/htdocs"
ServerName localhost:443

# Turn on the SSL/TLS Protocol Engine (default=off)
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:!NULL:!LOW:!MEDIUM:+TLSv1:+SSLv3

SSLCertificateFile "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/serverCert.pem"
SSLCertificateKeyFile "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/serverKey.pkcs8"

SSLCACertificatePath "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/CAs/"
SSLCARevocationPath "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/CRLs/"

SSLOptions +ExportCertData +StdEnvVars +StrictRequire +OptRenegotiate

SSLUserName SSL_CLIENT_S_DN

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

################################################################################
# Custom Logging configuration
#
# The format of the custom log and its output location is configured here.
#
# Documentation URL: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html
# ------------------------------------------------------------------------------
ErrorLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/error_log"
LogLevel debug

LogFormat "%h %l %{SSL_CLIENT_S_DN_CN}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
TransferLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/access_log"
CustomLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/ssl_request_log" \
"%t host: %h user: \"%{SSL_CLIENT_S_DN}x\" protocol: %{SSL_PROTOCOL}x cipher: %{SSL_CIPHER}x request line: \"%r\" size of response: %b status: %s"

ProxyRequests On
ProxyVia On

<Location /client1>
SSLVerifyClient optional
</Location>

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /client1 ajp://localhost/client1
ProxyPassReverse /client1 ajp://localhost/client1

</VirtualHost>

[Steffen]

Try to Google : Apache SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Returns some with same fault.

You can try SSLVerifyDepth >1

When there is a solution, please post here.

Steffen


btw.
Please do not use bold in your text the way you do.

[jmendezsarabia]

I tried setting
SSLVerifyDepth >1
But I get the following error now

[Fri Feb 22 09:39:25.904724 2013] [ssl:debug] [pid 7676:tid 908] ssl_engine_kernel.c(1411): [client ::1:65278] AH02275: Certificate Verification, depth 1, CRL checking mode: chain [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Fri Feb 22 09:39:25.904724 2013] [ssl:error] [pid 7676:tid 908] [client ::1:65278] AH02040: Certificate Verification: Certificate Chain too long (chain has 1 certificates, but maximum allowed are only 0)
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH02008: SSL library error 1 in handshake (server localhost:443)
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)

I was having my initial issue on another server earlier today. That server is a Linux RHEL 64 bit server with Apache 2.4.3 with openssl 1.0.1c also. The issue there was that the root certificate was not in the CAs directory. After placing the root CA in the CAs directory, all worked fine. So on my windows instance of apache this may be the same problem. I may need to rework the certificates and see if that is the problem. I'll continue my search also on google with Steffen's suggested query.

I'm still confused though, i've validated the certificate chain with openssl's verify tool and they're ok:
openssl.exe verify -CApath ../conf/CAs ../conf/tester1.crt
../conf/tester1.crt: OK

[jmendezsarabia]

Ok, so I found the solution.

Originally I was verifying my certificates with my old apache instance's openssl (0.9.8r). I tried hashing the certificates with apache 2.4.3's openssl (1.0.1c) and noticed that the hash values were different. I renamed the certificates with the new generated hashes and I was able to get thru to tomcat!

[krishna@]

Hi jmendezsarabia,

Can you provide detailed info as to what is "renamed the certificates with the new generated hashes and I was able to get thru to tomcat"

How have you generated new hashes and renamed them.
Thank you!!

[krishna@]

Can Someone please provide an update onto fix the issue quoted above. Let me know if I need to provide any additional details to debug further

[James Blond]

I think he just just a newer OpenSSL version to create the certs (again).