Apache certificates for some urls not working

Posted by Vegaasen on Server Fault See other posts from Server Fault or by Vegaasen
Published on 2012-10-11T07:39:52Z Indexed on 2012/10/11 9:40 UTC
Read the original article Hit count: 215

Filed under:
|
|
|
|

We are having a rather strange problem with a Apache-installation. Here is a short summary:

Currently I'm setting up Apache with https, and server-certificates. This is fairly easy and works straight out of the box - as expected. This is the configuration for this setup:

Listen 443

SSLEngine on

SSLCertificateFile "/progs/apache/ssl/example-site.no.pem"
SSLCertificateKeyFile "/progs/apache/ssl/example-site.no.key"

SSLCACertificateFile "/progs/apache/ssl/ca/example_root.pem"
SSLCADNRequestFile  "/progs/apache/ssl/ca/example_intermediate.pem"

SSLVerifyClient none
SSLVerifyDepth 3

SSLOptions +StdEnvVars +ExportCertData

RequestHeader set ssl-ClientCert-Subject-CN "%{SSL_CLIENT_S_DN}s"

RewriteEngine On
ProxyPreserveHost On
ProxyRequests On
SSLProxyEngine On

...

<LocationMatch /secureStuff/$>
    SSLVerifyClient require
    Order deny,allow
    Allow from All
</LocationMatch>

...

<Proxy balancer://exBalancer>
    Header add Set-Cookie "EX_ROUTE=EB.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
    BalancerMember http://10.0.0.1:7200 route=ee1 retry=300 flushpackets=off keepalive=on
    BalancerMember http://10.0.0.2:7200 route=ee2 retry=300 flushpackets=off keepalive=on status=+H
    ProxySet stickysession=EX_ROUTE scolonpathdelim=Off timeout=10 nofailover=off failonstatus=505 maxattempts=1 lbmethod=bybusyness
    Order deny,allow
    Allow from all
</Proxy>

RewriteCond %{REQUEST_URI} !^/index.html [NC]
RewriteRule ^/(.*)$ balancer://exBalancer/$1 [P,NC]

ProxyPassReverse / balancer://exBalancer/

Header edit Set-Cookie "(.*)" "$1;HttpsOnly"

...

So - everything works fine and as expected for all of the pages that are not a part of the LocationMatch-directive.

When requesting something that matches the LocationMatch-directive, I'm asked for a certificate (hence the SSLVerifyClient required attribute) - and getting all the correct certificates in my browser that is based on the root/intermediate chain. After choosing a certificate and clicking "OK", this is what pops up in the apache logs:

[ssl:info] [pid 9530:tid 25] [client :43357] AH01998: Connection closed to child 86 with abortive shutdown ( [Thu Oct 11 09:27:36.221876 2012] [ssl:debug] [pid 9530:tid 25] ssl_engine_io.c(1171): (70014)End of file found: [client 10.235.128.55:45846] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

And this just spams the logs. What is happening here? I can see this configuration working on my local machine, but not on one of our servers. There is no configration differences between the servers, only minor application-wise-changes.

I've tried the following: 1) Removing CA-certificate-checking (works) 2) Adding required CA-certificate for the whole site (works) 3) Adding "SSLVerifyClient optional" does not work 4) ++

Server/Application Information

Local:

-OpenSSL v.1.0.1x -Apache 2.4.3 -Ubuntu -mpm: event -every configuration should be turned on

(failing) server:

-OpenSSL 0.9.8e -Apache 2.4.2 -SunOS -mpm: worker -every configuration should be turned on

Please let me know if more information is needed, I'll provide it instantly.

Brief sum-up:

-Running apache 2.4 -Server certificates works just fine -Client certificates for some /Locations does not work, fails with errors

PS:

Could it be related with the OpenSSL version and the "Renegotiation" stuff related to TLS/SSLv3?

© Server Fault or respective owner

Related posts about apache2

Related posts about ssl