View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions SSLVerifyClient fails when inside <Location>
Log in to Ask a Question

SSLVerifyClient fails when inside <Location>

development

Running Gentoo with Apache 2.2. When I put SSLVerifyClient just inside it works fine. If I put it inside a or block inside that vhost, however, it fails. Log shows: Re-negotiation handshake failed: Not accepted by client!?

Relevant config file snippet:

 <virtualhost _default_:443="">ServerName ssl.example.com
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLVerifyClient none
        SSLVerifyDepth  10
        <filesmatch "\.(cgi|shtml|phtml|php)$"="">SSLOptions +StdEnvVars</filesmatch> 
        <directory "="" var="" www="" default="" cgi-bin"="">SSLOptions +StdEnvVars</directory> 
       <ifmodule setenvif_module="">BrowserMatch ".*MSIE.*" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0</ifmodule> 
        <ifmodule log_config_module="">CustomLog /var/log/apache2/ssl_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</ifmodule> 

        <location foo="" *="">SSLOptions +OptRenegotiate
                SSLVerifyClient require
                SSLVerifyDepth 10</location></virtualhost>

4 Replies

SSL renegotiation may be turned off in the client because it was recently discovered that the SSL protocol has a very bad MITM attack when it is enabled.

I've never used Client Certs; as I understand it moving from a non-cert required area to a cert required area forces a renegotiation. And that's where it fails.

If I'm right your options, typically, are to never need a client cert on a site, or to always require a client cert. Potentially you could also disable SSL persistence (it'd force every query to make a new connection and negotiate a new SSL session, so there'd be no SSL renegotiation within a session as it went from a non-cert area to a cert-area) but that would kill performance and put additional load on your server.

Huh. So I guess Apache doc is not up to date with what modern browsers are doing:

> How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server? [L]

For this we again use the per-directory reconfiguration feature of mod_ssl:

SSLVerifyClient none

SSLCACertificateFile conf/ssl.crt/ca.crt

SSLVerifyClient require

SSLVerifyDepth 1

So I have a somewhat usable work-around, but I'd be interested if any Apache gurus have a better one:

SSLVerifyClient optional
SSLVerifyDepth  10
 <location foo="" *="">SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    and %{SSL_CLIENT_VERIFY} eq "SUCCESS"   )</location>

This works, but the annoying thing is that browsers get a pop-up requesting authentication for all parts of the site. The dialog can be dismissed, but I wish there was a way to prevent it from displaying.

Get a 2nd IP address from linode, run one apache SSL vhost without client certs, and run the other vhost with client certs :-)

Hmm. $12 a year just might be worth it.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct