Apache certificates for some urls not working
Posted
by
Vegaasen
on Server Fault
See other posts from Server Fault
or by Vegaasen
Published on 2012-10-11T07:39:52Z
Indexed on
2012/10/11
9:40 UTC
Read the original article
Hit count: 215
We are having a rather strange problem with a Apache-installation. Here is a short summary:
Currently I'm setting up Apache with https, and server-certificates. This is fairly easy and works straight out of the box - as expected. This is the configuration for this setup:
Listen 443
SSLEngine on
SSLCertificateFile "/progs/apache/ssl/example-site.no.pem"
SSLCertificateKeyFile "/progs/apache/ssl/example-site.no.key"
SSLCACertificateFile "/progs/apache/ssl/ca/example_root.pem"
SSLCADNRequestFile "/progs/apache/ssl/ca/example_intermediate.pem"
SSLVerifyClient none
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set ssl-ClientCert-Subject-CN "%{SSL_CLIENT_S_DN}s"
RewriteEngine On
ProxyPreserveHost On
ProxyRequests On
SSLProxyEngine On
...
<LocationMatch /secureStuff/$>
SSLVerifyClient require
Order deny,allow
Allow from All
</LocationMatch>
...
<Proxy balancer://exBalancer>
Header add Set-Cookie "EX_ROUTE=EB.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
BalancerMember http://10.0.0.1:7200 route=ee1 retry=300 flushpackets=off keepalive=on
BalancerMember http://10.0.0.2:7200 route=ee2 retry=300 flushpackets=off keepalive=on status=+H
ProxySet stickysession=EX_ROUTE scolonpathdelim=Off timeout=10 nofailover=off failonstatus=505 maxattempts=1 lbmethod=bybusyness
Order deny,allow
Allow from all
</Proxy>
RewriteCond %{REQUEST_URI} !^/index.html [NC]
RewriteRule ^/(.*)$ balancer://exBalancer/$1 [P,NC]
ProxyPassReverse / balancer://exBalancer/
Header edit Set-Cookie "(.*)" "$1;HttpsOnly"
...
So - everything works fine and as expected for all of the pages that are not a part of the LocationMatch-directive.
When requesting something that matches the LocationMatch-directive, I'm asked for a certificate (hence the SSLVerifyClient required attribute) - and getting all the correct certificates in my browser that is based on the root/intermediate chain. After choosing a certificate and clicking "OK", this is what pops up in the apache logs:
[ssl:info] [pid 9530:tid 25] [client :43357] AH01998: Connection closed to child 86 with abortive shutdown ( [Thu Oct 11 09:27:36.221876 2012] [ssl:debug] [pid 9530:tid 25] ssl_engine_io.c(1171): (70014)End of file found: [client 10.235.128.55:45846] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
And this just spams the logs. What is happening here? I can see this configuration working on my local machine, but not on one of our servers. There is no configration differences between the servers, only minor application-wise-changes.
I've tried the following: 1) Removing CA-certificate-checking (works) 2) Adding required CA-certificate for the whole site (works) 3) Adding "SSLVerifyClient optional" does not work 4) ++
Server/Application Information
Local:
-OpenSSL v.1.0.1x -Apache 2.4.3 -Ubuntu -mpm: event -every configuration should be turned on
(failing) server:
-OpenSSL 0.9.8e -Apache 2.4.2 -SunOS -mpm: worker -every configuration should be turned on
Please let me know if more information is needed, I'll provide it instantly.
Brief sum-up:
-Running apache 2.4 -Server certificates works just fine -Client certificates for some /Locations does not work, fails with errors
PS:
Could it be related with the OpenSSL version and the "Renegotiation" stuff related to TLS/SSLv3?
© Server Fault or respective owner