Can't get Client certificates to work
|
2013-03-22, 18:42
Post: #1
|
|||
|
|||
Can't get Client certificates to work
Hello!
I hope someone can help me. I'm struggling using Client certificates. Server Certificates are working well as well as Code Signing. Although it took some days to get this to work, now it works fine. But Client certificates won't work at all. I'm using Debian 6.0.7 (squeeze), Apache 2.2.16, OpenSSL 1.0.1. Please find below the steps to create the certificates and my apache configuration. Thank's for helping me. ************************************************ # CREATE ROOT Certificate openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650 # CREATE SERVER Certificate openssl req -newkey rsa:2048 -keyout server.key -out server.req openssl ca -config ca.cnf -extensions codesigning -in server.req -out server.crt # REMOVE Passphrase cp server.key server.key.org openssl rsa -in server.key.org -out server.key # SIGN Code openssl cms -sign -binary -noattr -in /var/www-pxe/00\:0c\:29\:41\1\a/loader.iso -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/00\:0c\:29\:41\1\a/loader.sig openssl cms -sign -binary -noattr -in /var/www-pxe/memdisk -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/memdisk.sig openssl cms -sign -binary -noattr -in /var/www-pxe/bootstrap.ipxe -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/bootstrap.ipxe.sig # CREATE CLIENT Certificate openssl req -newkey rsa:2048 -keyout client.key -out client.req openssl ca -config ca.cnf -in client.req -out client.crt # REMOVE Passphrase cp client.key client.key.org openssl rsa -in client.key.org -out client.key # MAKE undionly make bin/undionly.kpxe EMBED=test.ipxe make bin/undionly.kpxe EMBED=test.ipxe TRUST=server.crt CERT=client.crt PRIVKEY=client.key ************************************************ Here's my Apache Configuration: ************************************************ <IfModule mod_ssl.c> <VirtualHost *:443> DocumentRoot /var/www-pxe SSLEngine on SSLOptions +StrictRequire SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLCACertificateFile /var/ipxe/src/client.crt SSLCertificateFile /var/ipxe/src/server.crt SSLCertificateKeyFile /var/ipxe/src/server.key <Directory /> <------>SSLRequireSSL <------>Options FollowSymlinks <------>AllowOverride None <------> <------>SSLVerifyClient require <------>SSLVerifyDepth 1 </Directory> <Directory /var/www-pxe/> <------>Options Indexes FollowSymLinks MultiViews <------>AllowOverride None <------>Order allow,deny <------>allow from all </Directory> BrowserMatch "MSIE [2-5]" \ <------>nokeepalive ssl-unclean-shutdown \ <------>downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> |
|||
2013-03-23, 22:02
Post: #2
|
|||
|
|||
RE: Can't get Client certificates to work | |||
2013-03-25, 09:56
(This post was last modified: 2013-03-25 10:09 by Viator.)
Post: #3
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-23 22:02)mcb30 Wrote: Thanks for giving detailed descriptions of your configuration. Unfortunately, you haven't said what the actual problem is anywhere. What error are you seeing? Hello Michael! Sorry for not mention this "detail". I get an "Operation not permitted (http://ipxe.org/410de13c)" on the client. http://ipxe.org/410de13c tells me to use the latest version, I've checked out the latest version of ipxe. The clients starts up fine if no client certificate verification is used. btw. my ca.cnf is exactly the one from http://ipxe.org/crypto with the exception of default_md = sha1 instead of default. This is due to that default did not work on the Version of OpenSSl which ships with Debian and md5 isn't recommended by OpenSSL. Thank you. Thorsten Just to give my complete config: I use the following embedded script and boostrap.ipxe ********************************************* #!ipxe imgtrust --permanent dhcp isset ${proxydhcp/next-server} && set next-server ${proxydhcp/next-server} initrd --name bootstrap https://${next-server}/bootstrap.ipxe || shell. imgverify bootstrap https://${next-server}/bootstrap.ipxe.sig || shell boot bootstrap #shell ********************************************* bootstrap: ********************************************* #!ipxe imgtrust --permanent initrd --name loader https://${next-server}/${mac}/loader.iso || shell imgverify loader https://${next-server}/${mac}/loader.sig || shell initrd --name kernel https://${next-server}/memdisk || shell imgverify kernel https://${next-server}/memdisk.sig || shell boot kernel iso ********************************************* |
|||
2013-03-25, 11:57
Post: #4
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-25 09:56)Viator Wrote: Sorry for not mention this "detail". I get an "Operation not permitted (http://ipxe.org/410de13c)" on the client. Thanks for clarifying! I think this might be the problem: Quote: I haven't tested, but I suspect that Apache wants the CA certificate that signed the client certificate specified here, rather than the client certificate itself. Try: Code: SSLCACertificateFile /var/ipxe/src/ca.crt Michael |
|||
2013-03-25, 13:20
Post: #5
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-25 11:57)mcb30 Wrote: I haven't tested, but I suspect that Apache wants the CA certificate that signed the client certificate specified here, rather than the client certificate itself. Try: Hi Michael! Thank's for your reply. I've recreated all keys and certs (the way I did describe in my first post) to be sure they match and then I tried to use ca.crt - same result. With client-certificate verification turned on, the client won't start but does so if the verification is switched off. :-( Since I know that common-name can't be omitted and must be a valid address I also have tried using the clients ip in the client certificate with no result (even this would work, this would make problems in a real environment since I do not really know the clients ip) In the "docu" theres a cross certificate mentioned (openssl ca -config ca.cnf -extensions cross -notext -preserveDN -ss_cert startcom.crt -out startcom-cross.crt) but I do not know if an how this is important for me. How should I use this certificates? Thorsten |
|||
2013-03-25, 13:50
Post: #6
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-25 13:20)Viator Wrote: I've recreated all keys and certs (the way I did describe in my first post) to be sure they match and then I tried to use ca.crt - same result. With client-certificate verification turned on, the client won't start but does so if the verification is switched off. :-( The client certificate name doesn't really matter. You can use the SSLRequire directive for Apache to restrict which client certificates are accepted; I think the default is to accept any certificates which can be validated. Quote:In the "docu" theres a cross certificate mentioned (openssl ca -config ca.cnf -extensions cross -notext -preserveDN -ss_cert startcom.crt -out startcom-cross.crt) but I do not know if an how this is important for me. How should I use this certificates? Cross-signing is not relevant to your setup. Have you checked the server log files to see if it contains any explanations? Failing that, you could try capturing the traffic, and post the capture file somewhere I can fetch it. Michael |
|||
2013-03-27, 14:27
Post: #7
|
|||
|
|||
RE: Can't get Client certificates to work
Update:
Now I'm running on Ubuntu Server 12.10 with the same results. But at least Ubuntu comes with an actual Version of openSSL which allows CMS. I created logs using wireshark. Should I upload the files or send by mail (address?)? Thorsten |
|||
2013-03-27, 15:55
Post: #8
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-27 14:27)Viator Wrote: Now I'm running on Ubuntu Server 12.10 with the same results. But at least Ubuntu comes with an actual Version of openSSL which allows CMS. Thanks for sending the logs. I can see a few problems. Firstly, the server seems to be providing an incorrect certificate chain containing two certificates, both of which are self-signed (i.e. issuer is the same as subject). Secondly, the server is not requesting a client certficiate from iPXE, which is why iPXE is not providing one. I would suggest that you try recreating your configuration from scratch, following the instructions on http://ipxe.org/crypto verbatim as far as possible. Michael |
|||
2013-03-28, 11:51
Post: #9
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-27 15:55)mcb30 Wrote: I would suggest that you try recreating your configuration from scratch, following the instructions on http://ipxe.org/crypto verbatim as far as possible. Hello Michael! Thank you for your reply. I've been following the instructions. I've changed the configuration. Now I've created a CA Certificate and 3 other Certificates, one for the server, one for the code signing and one for the client verification which I have signed using the CA. Please have a look at the end, I add the script I use. In httpd.conf I use them this way: Code: SSLCACertificateFile /var/asys/ipxe/certs/ca.crt https and codesigning works quite fine. Still no success with client verification and I run out if ideas. apache errorlog shows: Code: Connection: Client IP: 192.168.11.131, Protocol: TLSv1.2, Cipher: AES256-SHA256 (256/256 bits) Here the script to create the sertificates: Code: #!/bin/bash And here my complete http.conf Code: <IfModule mod_ssl.c> |
|||
2013-03-28, 22:04
Post: #10
|
|||
|
|||
RE: Can't get Client certificates to work
Maybe I'm missing something here, but I can't see any indication that you've specified _intention_ for the server and client sertificates. Mustn't they be specified as TLS Server/Client-type certificates? I'm not exactly sure how that is done with openssl, but unless those flags aren't specified in a config file not included (like ca.cnf or something else) I'm going to assume that might be a possible problem. BTW: Using curl with the client certificates against your server (which has ssqlrequire set) should make it quicker to verify that your setup works.
|
|||
2013-03-29, 09:58
Post: #11
|
|||
|
|||
RE: Can't get Client certificates to work
(2013-03-28 22:04)robinsmidsrod Wrote: Maybe I'm missing something here, but I can't see any indication that you've specified _intention_ for the server and client sertificates. Mustn't they be specified as TLS Server/Client-type certificates? I'm not exactly sure how that is done with openssl, but unless those flags aren't specified in a config file not included (like ca.cnf or something else) I'm going to assume that might be a possible problem. BTW: Using curl with the client certificates against your server (which has ssqlrequire set) should make it quicker to verify that your setup works. Hello Robin! Thank you for your answer. I have user the ca.cnf as specified here ipxe crypto with the exception of the parameter "default_md" which doesn't accept the value of "default", so i set it to sha1. Here is the ca.cnf I use: Code: [ ca ] I'm not that good in openSSL to find out where the problem may be but as far as I could find out using google this should be OK. In previous attempts to get it running I also tried md5 without success. Since Michael mentioned that the server sends two combined certs I also tried to use the CA Cert on the Server which also worked fine for SSL and Code Verification but not for Client Verification. I have never used curl (I'm a Windows Developer - eh - have been ;-) )but I will give it a try. Additional I have another question: Doesn't ipxe resolve server addresses? "Problem" is that I'm not able to specify a URL like https://ipxe.myserver.com in the script. I have to use the IP which causes me to use the IP as CommonName in the Certs which isn't really a problem but using a machine name would be nicer. But probably this is an dnsmask configuration issue. Thank you all for your trying to help me. Thorsten |
|||
2013-03-29, 17:19
Post: #12
|
|||
|
|||
RE: Can't get Client certificates to work
That last problem is most likely because of some DNS problem you're having in your environment. I'd suggest you try to solve that before you deal with your certificate problem. Getting HTTPS to work properly requires a functioning DNS, AFAIK.
|
|||
2013-04-02, 14:43
Post: #13
|
|||
|
|||
RE: Can't get Client certificates to work
SOLVED
The configuration for Apache MUST contain an "SSLRequire" phrase like in here (last entry): Code: <Directory __HTTP_PATH__> This solves a big issue. Next is the DNS-problem. Thank you for trying to help me. |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 4 Guest(s)