Multiple Requests for Client Certificate

hi,

i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works
fine so far *but* when a client-browser opens multiple simulanous
connections for one page to the server the Client-Certificate gets
requested the same number of times from the user.

The corresponding Browser-Configuration for firefox for example is named
network.http.max-persistent-connections-per-server

I am looking for a way to avoid these multiple questions for a
client-cert but i have no influence on the Browser-Configurations.

Is there a way to avoid those multi-questions?

best regards

--

-- 
Mit freundlichen Grüßen

Wolfram Eifler
Entwicklung

Mail  wolfram.eifler <at> esiqia.com

e.siqia Informationstechnologien GmbH
Saarbrücker Str. 36
10405 Berlin
Tel. +49 30.284730-68
Fax  +49 30.284730-99

mod_ssl Environment Variable?

Partitioned CRLs

    Hi,

    We are running a CA that has thousands of revoked certificates,
which leads to CRLs of several MBytes.

    On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.

    For example, for X=100, from certificate 1 to certificate 100, the
CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.

    My question: Is mod_ssl/openssl prepared to support partitioned
CRLs like the way described? In particular, if CRLs are cached,
mod_ssl must be able to merge several different partitions according
to the CDP to create a unified view over the revocation universe of a
CA.

    Regards,

         Nuno Ponte
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

unable to start apache with 2 certificates

Hi all,

i have a problem with an apache 2.2.9, maybe this is not the correct
mailing list but i am going to ask, my apologizes if this isn't the
properly place.

I had an instance of apache 2.2.9 with and IP serving contents with the
port 80 and 443, we bought a godaddy certificate and all went pretty
well, but we needed to install another certificate for other domain in
the same machine. I had several domains and all works with vhosts with
http, but when i first tried to use several vhosts for secure
connections the apache seemed to restart well but stop working. 

With an only certificate, apache use to ask me the certificate password,
but when i configure a second one, never asked and stop serving content,
even in http. Then i tried to configure the system with 2 IPs, one for
every certificate, but i got the same problem.

The configuration files seems to be well formed (apachectl -t) and i saw
some examples out of there:
http://www.ibm.com/developerworks/opensource/library/wa-multissl.html

am i doing something wrong? this is the correct mailing list to ask?

thanks, and best regards.

-- 

____________________________________
Jorge Martin Cuervo

Outsourcing Emarketplace
deFacto Powered by Standards

email <jorge.martin <at> defactops.com>
voice +34 984 832 659
voice +34 660 026 384
____________________________________

DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así 
como el resto de los datos de carácter personal que nos facilite, serán objeto 
de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de 
información comercial y/o personal por vía electrónica. Vd. podrá en cualquier 
momento ejercer el derecho de acceso, rectificación, cancelación y oposición en 
los términos establecidos en la Ley Orgánica de Protección de Datos de Carácter 
Personal (LOPD. 15/1999),  dirigiendo un escrito a C/ Rivero 31 1º Izda. - 33402 
AVILES (Asturias), o a nuestra dirección de correo electrónico 
(info <at> defactops.com). También informamos que la información incluida en este 
e-mail es CONFIDENCIAL, siendo para uso exclusivo del destinatario arriba 
mencionado. Si Usted lee este mensaje y no es el destinatario indicado, le 
informamos que está totalmente prohibida cualquier utilización, divulgación, 
distribución y/o reproducción de esta comunicación sin autorización expresa en 
virtud de la legislación vigente.  Si ha recibido este mensaje por error, le 
rogamos nos lo notifique inmediatamente por esta misma vía y proceda a su 
eliminación.

This e-mail contains information that will be added to our computerised guest 
data base and will be trated in the strict confidence. If you wish to access, 
correct, oppose or cancel your details, as specified the Law 15/99, December 
13th, please send a certified letter to this effect to DE FACTO STANDARDS, 
S.L.., (C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias) SPAIN). If you read this 
message, and is not the destinatary, we informal you that is forbidden anything 
utility, distribution, divulgation or reproduction of this communication without 
express authorization, of the present law.  If you received this message for 
mistake, we proud in order to the present law, immediate communication to us, 
and please erase this e-mail

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

IE + SSL = File Upload Problems

Hello,

Hopefully someone can help...

Environment:

Apache httpd 2.2 + mod_proxy + JK2 + mod_ssl --> JBoss (Tomcat 5.5)

IE 6/7 + WinXP Pro/Win 2003

Problem:

When a large file upload from a http form post reaches a "max allowed
limit" (e.g. 20Mb) on the server, the server returns a response (e.g.
413/406).
Somewhere the SSL part is causing (only) IE to hang for a while (consume
lots of memory/processor time) and then display a page that says:

"Navigation to the webpage was stopped..."

Note: Turning SSL off fixes this behaviour.

Can anyone shed any light on what might be causing this?

Cheers,
Dave

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Jean-Pierre Guilloteau est absent.

I will be out of the office starting Fri 10/10/08 and will not return until
Mon 27/10/08.

Je répondrai à votre message dès mon retour.
Cordialement.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

X509 variables ..UID

in ssl_engine_vars, there seems to be a problem to me concerning the UID 
field.
The syntax for the field is a bitstring and not a "text".

static const struct {
    char *name;
    int   nid;
} ssl_var_lookup_ssl_cert_dn_rec[] = {
    { "C",     NID_countryName            },
    { "ST",    NID_stateOrProvinceName    }, /* officially    (RFC2156) */
    { "SP",    NID_stateOrProvinceName    }, /* compatibility (SSLeay)  */
    { "L",     NID_localityName           },
    { "O",     NID_organizationName       },
    { "OU",    NID_organizationalUnitName },
    { "CN",    NID_commonName             },
    { "T",     NID_title                  },
    { "I",     NID_initials               },
    { "G",     NID_givenName              },
    { "S",     NID_surname                },
    { "D",     NID_description            },
#if SSL_LIBRARY_VERSION >= 0x00907000
    { "UID",   NID_x500UniqueIdentifier   },
#else
    { "UID",   NID_uniqueIdentifier       },
#endif
    { "Email", NID_pkcs9_emailAddress     },
    { NULL,    0                          }
};

-- 

<http://www.edelweb.fr>
*Edel/W/eb* 	Peter SYLVESTER
Consultant Sécurité des Systèmes d'Information
-----------------------------------------------------------
EdelWeb - Groupe ON-X
15, quai de Dion-Bouton
F-92816 Puteaux Cedex
Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com>
-----------------------------------------------------------
To verify the message signature, see edelpki.edelweb.fr 
<http://edelpki.edelweb.fr/>
Cela vous permet de charger le certificat de l'autorité de racine 
<http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?.

Ie.

I have generated a : apache_server.key made a apache_server.csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh

Authenticating users based on S/MIME certificate

Hi. I am an administrator of a user account at an Apache web server. 
Currently the server is running Apache 1.3.37. My hosting provider plans 
on switching to new hardware with possibly new software. So I don't know 
if my web server will be run on Apache 1.3.37 or Apache 2.0.

My goal is to let visitors of my web site authenticate themselves to my 
web server using some certificate, possibly S/MIME certificates.

Now, my current S/MIME certificate for personal e-mail is approved for 
the following purposes:
Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards 
an SSL web server? In any case I want to have a limited crowd of users 
seeing a subdirectory of pages without bothering the user with a user 
name/password dialog. Just their personal certificate lets them see 
pages in a certain subdirectory.

As I understand the documentation for PHP, there is no means whereby PHP 
can read and interpret an SSL client certificate. Is that correct?

Gunnar
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Truncated response via mod_proxy

SSL works from server command line, but not from outside server. Weird!

Hi, folks.

I've run across a wierd problem -- https/SSL works fine when accessed
from the machine running httpd, but is unavailable from all others.

Software versions: Apache 1.3.37/mod_ssl-2.8.28-1.3.37/OpenSSL 0.9.8b

Running 'http' on port 8118, 'https' on port 8119

I get positive results from openssl's "s_client" when I connect to
8119 from the server's command line:

  $ openssl s_client -connect webdev-gold:8119
  CONNECTED(00000003)
  depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's
Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddress=foo <at> bar.net
  verify error:num=18:self signed certificate
  verify return:1
  depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's
Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddress=foo <at> bar.net
  < SNIP >
  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
  Server public key is 1024 bit
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : DHE-RSA-AES256-SHA
      Session-ID:
9D8989B47E6EE3546426AFC100348052D900956A40E0C33AAB41019D71CF515E
      Session-ID-ctx:
      Master-Key:
EF1AC496532EE1B8EF0F63988AB7CED1F05F9EAB8675DD76DC54A6DC6E91410C12B9808C8567B803838137B79089591C
      Key-Arg   : None
      Krb5 Principal: None
      Start Time: 1221497972
      Timeout   : 300 (sec)
      Verify return code: 18 (self signed certificate)
  ---

To verify this a bit further, I (again, from the server's command
line) made use of the 'lynx' browswer to attempt accessing https on
port 8119 -- this worked, as well.

Next thing I tried was running the same "s_client" command from my
workstation's command line:
(openssl version 0.9.8g))

  $ openssl s_client -connect webdev-gold:8119 -state -debug
  CONNECTED(00000003)
  SSL_connect:before/connect initialization
  write to 0x80c1340 [0x80c22f8] (124 bytes => 124 (0x7C))
  0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..
  0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
  0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......
  0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................
  0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........
  0050 - 00 00 06 04 00 80 00 00-03 02 00 80 78 79 d0 f1   ............xy..
  0060 - 49 80 86 36 2c 4a 72 b0-9a 3d 73 a6 d7 2e e9 78   I..6,Jr..=s....x
  0070 - 05 4e 73 b7 84 12 ea 38-18 b1 41 c2               .Ns....8..A.
  SSL_connect:SSLv2/v3 write client hello A
  read from 0x80c1340 [0x80c7858] (7 bytes => 7 (0x7))
  0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
  SSL_connect:error in SSLv2/v3 read server hello A
  16389:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:583:

And the corresponding entry from the server's error log:
  [Mon Sep 15 10:04:30 2008] [error] [client 172.16.70.182] Invalid
method in request \\x80t\\x01\\x03\\x01

Seems to be working from the server, but not from outside it.  So I
thought I'd best be sure that I wasn't doing
something silly like listening only on the loopback address or something:

  tcp        0      0 0.0.0.0:8118                0.0.0.0:*
       LISTEN
  tcp        0      0 0.0.0.0:8119                0.0.0.0:*
       LISTEN

Which I think proves that httpd isn't confining itself to a single
network interface.

I've spent a couple of hours googling on this, and discovered that
while the the error shown in the Apache log excerpt is quite common,
the situation I'm describing is not.  Any insights, thoughts, and
suggestions would be appreciated, as I feel I've taken this as far as
I can on my own.

I am attaching the relevant httpd.conf file -- in gzipped format -- on
the chance it may prove helpful.

Thank you.

-John