Mailing List Archive: Apache: Users

Apache 2.2 asks for client certificate when it shouldn't

Index | Next | Previous | View Threaded

mlists at edicom

Dec 30, 2008, 4:20 AM

Post #1 of 3 (379 views)
Permalink

Apache 2.2 asks for client certificate when it shouldn't

Hi all,

I recently installed an apache web server using version 2.2.9, and I'm having strange issues with the SSL behaviour. I don't need client certificate validation so I didn't use the directive SSLVerifyClient. However, as apache asked for a client certificate, I changed the SSLVerifyClient directive to 'none', with the same results.

I thought it could be a browser issue, however the same config in apache 2.0 doesn't behave this way. On the other hand I'm able to reproduce the problem with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything related to this in the apache logs. I've done many tests and now I have no clue about why it keeps asking for a certificate. It should be noted though that apache asks for the certificate only once, if I don't restart the browser or delete cookies.
Are there other configuration directives in mod_ssl besides SSLVerifyClient that may influence this behaviour?

Some system information:
SO: Linux 2.6, 64 bit (Gentoo distribution)
Server Version: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8h PHP/5.2.6-pl7-gentoo mod_jk/1.2.26

Any help is greatly appreciated. Thanks!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

krist.vanbesien at gmail

Dec 30, 2008, 8:53 AM

Post #2 of 3 (343 views)
Permalink

Re: Apache 2.2 asks for client certificate when it shouldn't [In reply to]

On 12/30/08, Miguel Angel Tormo Alfaro <mlists [at] edicom> wrote:

> I thought it could be a browser issue, however the same config in apache 2.0
> doesn't behave this way. On the other hand I'm able to reproduce the problem
> with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything
> related to this in the apache logs. I've done many tests and now I have no
> clue about why it keeps asking for a certificate. It should be noted though
> that apache asks for the certificate only once, if I don't restart the
> browser or delete cookies.
> Are there other configuration directives in mod_ssl besides SSLVerifyClient
> that may influence this behaviour?

Which other SSL directives do you have in your config? Can you show it to us?

Krist

--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

mlists at edicom

Dec 31, 2008, 4:51 AM

Post #3 of 3 (330 views)
Permalink

Re: Apache 2.2 asks for client certificate when it shouldn't [In reply to]

El Martes, 30 de Diciembre de 2008 17:53:42 krist.vanbesien [at] gmail escribió:
> On 12/30/08, Miguel Angel Tormo Alfaro <mlists [at] edicom> wrote:
>
> > I thought it could be a browser issue, however the same config in apache 2.0
> > doesn't behave this way. On the other hand I'm able to reproduce the problem
> > with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything
> > related to this in the apache logs. I've done many tests and now I have no
> > clue about why it keeps asking for a certificate. It should be noted though
> > that apache asks for the certificate only once, if I don't restart the
> > browser or delete cookies.
> > Are there other configuration directives in mod_ssl besides SSLVerifyClient
> > that may influence this behaviour?
>
> Which other SSL directives do you have in your config? Can you show it to us?
>
Thank you for your response. Here there are (taken from http://myserver/server-info)

mod_ssl.conf:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex

Default virtual host conf file:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/ips.crt
SSLVerifyClient none

And in the virtual host conf file:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/ips.crt
SSLVerifyClient none
SSLOptions -ExportCertData -StdEnvVars +OptRenegotiate

I have been playing with those SSLOptions (adding / removing, etc), but none of them seem to affect this strange behaviour. I'm using name based virtualhosts (one IP), so one certificate for all of them (I'm not relying on SNI as many browsers don't support it yet). It is very difficult to try new things as the error seems to be very random. Today for instance I've done a bunch of tries and it only asked for the certificate once. I've tried from 4 different computers with different browsers.

On the other hand, may it be related to the SSLSessionCache?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads