Re: Am I using SSLCACertificateFile as intended?

I think all you need to do is tighten up your SSLRequire rules.

Something like this (all on one line, omitting the backslash at line-end):

SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 \
and %{SSL_CLIENT_I_DN} eq "IssuingCA2"

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23


Omar

dpmott@sep.com wrote:
> Hi all --
>
> I'm having some trouble configuring Apache/mod_ssl to do what I want.
> Perhaps I have some misconceptions that need dispelled. Any help would be
> grealy appreciated.
>
> OVERVIEW/GOAL:
> I'm retrofitting some Apache servers to require client certificates. Note
> that these servers have certificates that are (temporarily) self-signed.
> Our organization already has a PKI consisting of a self-signed RootCA and
> two IssuingCAs. My goal here is to configure my Apache server to require
> user certificates issued by IssuingCA2, and to refuse access to all
> others.
>
> Server version: Apache/2.2.3
> Server built: Aug 10 2006 17:29:16
> OpenSSL 0.9.8b 04 May 2006
>
> THE PROBLEM:
> The problem is that I've found only one configuration that will allow a
> client to successfully load a page, and in this case, it will also allow
> the use of user certificates issued by the other IssuingCA. I find this
> baffling, since I haven't told Apache anything about this particular
> IssuingCA.
>
> I believe that my problems are centering around the SSLCACertificateFile
> directive. See below for my SSL (scrubbed) conf file.
>
> CASE 1:
> If I use this invocation, Apache allows certificates from any issuing CA
> that has been signed by our Root CA. Note that certchain.cer is a
> concatenation of the PEM-encoded certificates for IssuingCA2 and the
> RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
> next two cases).
> SSLCACertificateFile conf/ssl/certchain.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root CA
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 0, subject: /CN=[SNIP], issuer: [SNIP]Issuing CA 1
>
> CASE 2:
> If I use this invocation, Apache will run but will complain (whenever the
> protected page is loaded) that it can't find the local issuer certificate.
> I've tried setting SSLVerifyDepth to 1, but this didn't help anything.
> The only good thing about this case is that the list of certificates
> presented by the remote browser to the user only includes those directly
> issued by IssuingCA2.
> SSLCACertificateFile conf/ssl/IssuingCA2.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root CA
> [Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
>
> CASE 3:
> If I use this invocation, Apache won't even run. Note that the content of
> RootCA.cer is exactly the same content that makes up an essential part of
> certchain.cer (see above). AFAIK, this certificate should have format and
> content readily useable by Apache. The only special thing about it, is
> that it is a self-signed certificate (does that make a difference?)
> SSLCACertificateFile conf/ssl/RootCA.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:02:13 2007] [info] Loading certificate & private key of
> SSL-aware server
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
> RSA private key - pass phrase not required
> [Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
> SSL context (protocols: SSLv2, TLSv1)
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
> client authentication
> [Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
> for client authentication
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
> error:02001005:system library:fopen:Input/output error
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
> error:2006D002:BIO routines:BIO_new_file:system lib
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
> error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
> lib
>
> HELP:
> My expectation here was that I would need to provide the certificate chain
> (issuing and root CA) required to authenticate the user certificate, and
> that a user certificate issued by any other IssuingCA would fail because I
> haven't given Apache the IssuingCA's certificate.
>
> Instead, it seems like the server has gained access to the IssuingCA1
> certificate (does it do this directly, or does the client send it?), and
> is validating that certificate against the RootCA. This seems to happen
> when I provided the RootCA in the SSLCACertificateFile, which (as I
> understand it) gets sent to the remote client so that it can filter its
> list of applicable user certificates.
>
> So, I'm looking for is a way to configure Apache to:
> 1. Instruct the remote browser to limit the applicable user certificates
> to only those issued by IssuingCA2,
> 2. Avoid the "unable to get local issuer certificate" error
> 3. Never accept a user certificate issued by IssuingCA1
>
> Could someone please tell me where I've gone wrong, and/or how to achieve
> these goals?
>
>
>
> CONFIGURATION:
> Here's my SSL conf file. It's loaded from httpd.conf:
>
> <VirtualHost _default_:443>
> DocumentRoot [SNIP]
> ServerName [SNIP]:443
> ServerAdmin [SNIP]
> CustomLog virtualhosts/secure/logs/access.log common
> ErrorLog virtualhosts/secure/logs/error.log
> TransferLog virtualhosts/secure/logs/access.log
> LogLevel debug
>
> <IfModule ssl_module>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
> SSLCertificateFile conf/ssl/[SNIP].crt
> SSLCertificateKeyFile conf/ssl/[SNIP].key
> SSLCACertificateFile conf/ssl/certchain.cer
> SSLVerifyDepth 10
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog virtualhosts/secure/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> # Prevent clients from using SSLv3
> SSLProtocol all -SSLv3
> </IfModule>
>
> DocumentRoot [SNIP]/virtualhosts/secure/htdocs
> <Directory [SNIP]/virtualhosts/secure/htdocs>
> Options Indexes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> <Location />
> Options FollowSymLinks
> AllowOverride None
>
> Order allow,deny
> Allow from all
> </Location>
>
> <Location /protected>
> # Per-directory configuration for SSL
> SSLRequireSSL
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> SSLVerifyClient require
> </Location>
>
> <Directory "[SNIP]/virtualhosts/secure/cgi-bin">
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> </Directory>
>
> </VirtualHost>
>
>
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org