(2013-03-27 15:55)mcb30 Wrote: I would suggest that you try recreating your configuration from scratch, following the instructions on http://ipxe.org/crypto verbatim as far as possible.
Hello Michael!
Thank you for your reply. I've been following the instructions.
I've changed the configuration. Now I've created a CA Certificate and 3 other Certificates, one for the server, one for the code signing and one for the client verification which I have signed using the CA. Please have a look at the end, I add the script I use.
In httpd.conf I use them this way:
Code:
SSLCACertificateFile /var/asys/ipxe/certs/ca.crt
SSLCertificateFile /var/asys/ipxe/certs/server.crt
SSLCertificateKeyFile /var/asys/ipxe/certs/server.key
https and codesigning works quite fine. Still no success with client verification and I run out if ideas.
apache errorlog shows:
Code:
Connection: Client IP: 192.168.11.131, Protocol: TLSv1.2, Cipher: AES256-SHA256 (256/256 bits)
ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7f2750001340 [mem: 7f2750006c73] (BIO dump follows)
ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
ssl_engine_io.c(1869): | 0000: 17 03 03 00 90 ..... |
ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
ssl_engine_io.c(1897): OpenSSL: read 144/144 bytes from BIO#7f2750001340 [mem: 7f2750006c78] (BIO dump follows)
ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
ssl_engine_io.c(1869): | 0000: 5a e3 f2 d6 8b cf f2 67-58 fa 04 c7 82 b2 ff 02 Z......gX....... |
ssl_engine_io.c(1869): | 0010: 30 b2 52 6a 92 b9 2f b3-71 18 1f 94 73 ec a1 6e 0.Rj../.q...s..n |
ssl_engine_io.c(1869): | 0020: 40 c3 79 3b d6 18 7e 2c-10 9f c3 12 43 d5 5f e1 @.y;..~,....C._. |
ssl_engine_io.c(1869): | 0030: 09 da f0 0e 85 d8 2d 37-8e 4a 44 c5 aa dc 54 60 ......-7.JD...T` |
ssl_engine_io.c(1869): | 0040: 8f e7 fa 80 b7 6f 40 fc-59 95 04 f0 45 b3 2e 66 .....o@.Y...E..f |
ssl_engine_io.c(1869): | 0050: 5b 6f 52 eb 7b c3 8f 49-be d0 5b 8f 36 98 ef e1 [oR.{..I..[.6... |
ssl_engine_io.c(1869): | 0060: 86 ec 63 f4 95 e5 93 cd-85 59 61 7a df ee c8 25 ..c......Yaz...% |
ssl_engine_io.c(1869): | 0070: 02 b2 43 34 5e 74 41 1b-ea 56 29 ec d8 ab 68 cc ..C4^tA..V)...h. |
ssl_engine_io.c(1869): | 0080: d9 e3 8b 47 76 e9 02 0b-ff df d7 13 9d 21 35 e6 ...Gv........!5. |
ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
Initial (No.1) HTTPS request received for child 1 (server 192.168.11.152:443)
ssl_engine_kernel.c(510): [client 192.168.11.131] Changed client verification type will force renegotiation
[client 192.168.11.131] Requesting connection re-negotiation
ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f2750001340 [mem: 7f2750006c73]
ssl_engine_kernel.c(764): [client 192.168.11.131] Performing full renegotiation: complete handshake protocol (client
ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
ssl_engine_kernel.c(1884): OpenSSL: Write: SSL renegotiate ciphers
ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSL renegotiate ciphers
[client 192.168.11.131] Re-negotiation request failed
SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
Here the script to create the sertificates:
Code:
#!/bin/bash
cd /var/asys/ipxe/certs
rm sslpass
echo secure2013 >> sslpass
echo secure2013 >> sslpass
echo
echo ============================================================================
echo
echo ' Creating CA Certificate'
echo
echo ============================================================================
echo
# CREATE ROOT Certificate
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650 \
-subj "/C=AT/ST=Vienna/L=Vienna/O=asys/CN=secureBoot" \
-passin file:sslpass -passout file:sslpass
echo
echo ============================================================================
echo
echo ' Creating SERVER Certificate'
echo
echo ============================================================================
echo
# CREATE Certificate
openssl req -newkey rsa:2048 -keyout server.key -out server.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass
# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in server.req -out server.crt \
-passin file:sslpass -batch
echo
echo ============================================================================
echo
echo ' Creating CODE SIGN Certificate'
echo
echo ============================================================================
echo
# CREATE Certificate
openssl req -newkey rsa:2048 -keyout codesign.key -out codesign.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass
# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt \
-passin file:sslpass -batch
echo
echo ============================================================================
echo
echo ' Creating CLIENT Certificate'
echo
echo ============================================================================
echo
# CREATE Certificate
openssl req -newkey rsa:2048 -keyout client.key -out client.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass
# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in client.req -out client.crt \
-passin file:sslpass -batch
echo
echo ============================================================================
echo
echo ' Removing Passwords'
echo
echo ============================================================================
echo
cp ca.key ca.key.org
openssl rsa -in ca.key.org -out ca.key \
-passin file:sslpass
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key \
-passin file:sslpass
cp client.key client.key.org
openssl rsa -in client.key.org -out client.key \
-passin file:sslpass
cp codesign.key codesign.key.org
openssl rsa -in codesign.key.org -out codesign.key \
-passin file:sslpass
echo
echo ============================================================================
echo
echo ' Signing CODE'
echo
echo ============================================================================
echo
cd /var/asys/ipxe/certs
openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
-in /var/asys/www/bootstrap.ipxe -out /var/asys/www/bootstrap.ipxe.sig
openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
-in /var/asys/www/memdisk -out /var/asys/www/memdisk.sig
openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
-in /var/asys/www/00\:0c\:29\:41\:d1\:da/loader.iso -out /var/asys/www/00\:0c\:29\:41\:d1\:da/loader.sig
echo
echo ============================================================================
echo
echo ' MAKING undionly.kpxe'
echo
echo ============================================================================
echo
# UPDATE IPXE from GIT
# cd /var/ipxe
# git pull
# MAKE undionly
cd /usr/src/ipxe/src
# clear certificates
make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe
# make using new certificates
#make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe TRUST=/var/asys/ipxe/certs/ca.crt
make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe TRUST=/var/asys/ipxe/certs/ca.crt CERT=/var/asys/ipxe/certs/client.crt PRIVKEY=/var/asys/ipxe/certs/client.key
cp bin/undionly.kpxe /var/asys/pxe/undionly.kpxe.0
echo
echo ============================================================================
echo
echo ' RESTARTING webservices'
echo
echo ============================================================================
echo
/var/asys/restart.sh
And here my complete http.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName 192.168.11.152:443
DocumentRoot /var/asys/www
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCACertificateFile /var/asys/ipxe/certs/ca.crt
SSLCertificateFile /var/asys/ipxe/certs/server.crt
SSLCertificateKeyFile /var/asys/ipxe/certs/server.key
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/asys/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
SSLRequireSSL
#SSLRequire
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
</VirtualHost>
</IfModule>