如何解决Apache 2 相互 TLS 身份验证仅适用于“SSLClientVerify optional_no_ca” Apache 日志Apache 日志
我正在尝试使用 Apache2 来提供具有相互 TLS 身份验证的 REST-API。
如果我将 SSLVerifyClient
选项设置为 require
,由于看起来像服务器/客户端证书验证,SSL 连接未建立,我将无法获得客户端证书。我使用的是公司内部测试证书和相关的 CA 证书链。
如果我将 SSLVerifyClient
选项设置为 optional_no_ca
,我可以从 Chrome/CURL(测试工具)获得连接,并获得证书信息。这仅允许 openssl_x509_parse($_SERVER['SSL_CLIENT_CERT'])
检查 CN 值作为身份验证。
问题是:
- 我设置 Apache 证书的方式是否有问题导致认证验证错误?还是证书有问题?
- 有没有办法让我在 Apache2/curl 之外测试服务器/客户端证书集成?
- 获取客户证书并检查 CN 值是否足以确保没有人伪装成客户?
注意: 在 Apache 日志文件中我可以看到端口 443,尽管我在端口 8447 上设置了 SSL(由于端口 443 被阻止)。跟这有关系吗?
使用 Chrome 进行测试
This site can’t provide a secure connection
machine.xyz.com didn’t accept your login certificate,or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
Apache 日志
[Thu Mar 04 15:44:24.975602 2021] [ssl:info] [pid 24140:tid 140137567536896] [client 10.65.65.199:59523] AH01964: Connection to child 320 established (server machine.xyz.com:443)
[Thu Mar 04 15:44:24.976219 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_kernel.c(2353): [client 10.65.65.199:59523] AH02043: SSL virtual host for servername machine.xyz.com found
[Thu Mar 04 15:44:24.984844 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_kernel.c(2236): [client 10.65.65.199:59523] AH02041: Protocol: TLSv1.2,Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Thu Mar 04 15:44:24.985009 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_kernel.c(383): [client 10.65.65.199:59523] AH02034: Initial (No.1) HTTPS request received for child 320 (server machine.xyz.com:443)
[Thu Mar 04 15:44:24.985223 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_kernel.c(746): [client 10.65.65.199:59523] AH02255: Changed client verification type will force renegotiation
[Thu Mar 04 15:44:24.985257 2021] [ssl:info] [pid 24140:tid 140137567536896] [client 10.65.65.199:59523] AH02221: Requesting connection re-negotiation
[Thu Mar 04 15:44:24.985287 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_kernel.c(975): [client 10.65.65.199:59523] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Mar 04 15:44:24.985367 2021] [ssl:info] [pid 24140:tid 140137567536896] [client 10.65.65.199:59523] AH02226: Awaiting re-negotiation handshake
[Thu Mar 04 15:44:24.991206 2021] [ssl:error] [pid 24140:tid 140137567536896] [client 10.65.65.199:59523] AH02261: Re-negotiation handshake failed
[Thu Mar 04 15:44:24.991293 2021] [ssl:debug] [pid 24140:tid 140137567536896] ssl_engine_io.c(1370): (70014)End of file found: [client 10.65.65.199:59523] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Mar 04 15:44:24.991321 2021] [ssl:info] [pid 24140:tid 140137567536896] [client 10.65.65.199:59523] AH01998: Connection closed to child 320 with abortive shutdown (server machine.xyz.com:443)
[Thu Mar 04 15:44:26.471743 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH01964: Connection to child 321 established (server machine.xyz.com:443)
[Thu Mar 04 15:44:26.471984 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(2353): [client 10.65.65.199:59526] AH02043: SSL virtual host for servername machine.xyz.com found
[Thu Mar 04 15:44:26.477354 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(2236): [client 10.65.65.199:59526] AH02041: Protocol: TLSv1.2,Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Thu Mar 04 15:44:26.478078 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(383): [client 10.65.65.199:59526] AH02034: Initial (No.1) HTTPS request received for child 321 (server machine.xyz.com:443)
[Thu Mar 04 15:44:26.478210 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(746): [client 10.65.65.199:59526] AH02255: Changed client verification type will force renegotiation
[Thu Mar 04 15:44:26.478245 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH02221: Requesting connection re-negotiation
[Thu Mar 04 15:44:26.478272 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(975): [client 10.65.65.199:59526] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Mar 04 15:44:26.478334 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH02226: Awaiting re-negotiation handshake
[Thu Mar 04 15:44:26.490828 2021] [ssl:debug] [pid 24140:tid 140137559144192] ssl_engine_kernel.c(1741): [client 10.65.65.199:59526] AH02275: Certificate Verification,depth 1,CRL checking mode: none (0) [subject: CN=XYZ Co Server TEST CA 13,OU=PKI,O=XYZ Co AG,C=DE / issuer: CN=XYZ Co Group Root TEST CA 13,C=DE / serial: 04 / notbefore: Mar 18 00:00:00 2018 GMT / notafter: Oct 18 00:00:00 2026 GMT]
[Thu Mar 04 15:44:26.490898 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=XYZ Co Server TEST CA 13,C=DE / serial: 04 / notbefore: Mar 18 00:00:00 2018 GMT / notafter: Oct 18 00:00:00 2026 GMT]
[Thu Mar 04 15:44:26.491006 2021] [ssl:error] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH02261: Re-negotiation handshake failed
[Thu Mar 04 15:44:26.491074 2021] [ssl:error] [pid 24140:tid 140137559144192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
[Thu Mar 04 15:44:26.491140 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH02008: SSL library error 1 in handshake (server machine.xyz.com:443)
[Thu Mar 04 15:44:26.491164 2021] [ssl:info] [pid 24140:tid 140137559144192] SSL Library Error: error:140800FF:SSL routines:ssl3_accept:unknown state
[Thu Mar 04 15:44:26.491181 2021] [ssl:info] [pid 24140:tid 140137559144192] [client 10.65.65.199:59526] AH01998: Connection closed to child 321 with abortive shutdown (server machine.xyz.com:443)
使用 Curl 进行测试
$ curl -v --cacert 'XYZ Company TEST.crt' --cert client-machine.xyz.com_Testing-DoD-Application.crt --key client-machine.xyz.com_Testing-DoD-Application.key https://machine.xyz.com:8447/data-requests/secure/test.php
. . ..
. . . .
s://machine.xyz.com:8447/data-requests/secure/test.php
* Trying 10.99.99.99...
* TCP_NODELAY set
* Connected to machine.xyz.com (10.99.99.99) port 8447 (#0)
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 183 bytes...
* schannel: sent initial handshake data: sent 183 bytes
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 3998
* schannel: encrypted data buffer: offset 3998 length 4096
* schannel: received incomplete message,need more data
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5022 length 5022
* schannel: received incomplete message,need more data
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 6046 length 6046
* schannel: received incomplete message,need more data
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 7070 length 7070
* schannel: received incomplete message,need more data
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 639
* schannel: encrypted data buffer: offset 7709 length 8094
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 8094
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 3/3)
* schannel: stored credential handle in session cache
> GET /data-requests/secure/test.php HTTP/1.1
> Host: machine.xyz.com:8447
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 33
* schannel: encrypted data buffer: offset 33 length 103424
* schannel: decrypted data length: 0
* schannel: decrypted data added: 0
* schannel: decrypted data cached: offset 0 length 102400
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection with gmcctu01.uk.db.com port 8447 (step 2/3)
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: sending next handshake data: sending 219 bytes...
* schannel: SSL/TLS connection with gmcctu01.uk.db.com port 8447 (step 2/3)
* schannel: encrypted data got 7969
* schannel: encrypted data buffer: offset 7969 length 103424
* schannel: sending next handshake data: sending 3601 bytes...
* schannel: SSL/TLS connection with machine.xyz.com port 8447 (step 2/3)
* schannel: encrypted data got 31
* schannel: encrypted data buffer: offset 31 length 103424
* schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* schannel: renegotiation failed
* schannel: schannel_recv cleanup
* Closing connection 0
* schannel: shutting down SSL/TLS connection with machine.xyz.com port 8447
* schannel: clear security context handle
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
Apache 日志
[Thu Mar 04 15:50:05.194181 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH01964: Connection to child 322 established (server machine.xyz.com:443)
[Thu Mar 04 15:50:05.194424 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(2353): [client 10.65.65.199:59618] AH02043: SSL virtual host for servername machine.xyz.com found
[Thu Mar 04 15:50:05.334191 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(2236): [client 10.65.65.199:59618] AH02041: Protocol: TLSv1.2,Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Thu Mar 04 15:50:05.376284 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(383): [client 10.65.65.199:59618] AH02034: Initial (No.1) HTTPS request received for child 322 (server machine.xyz.com:443)
[Thu Mar 04 15:50:05.376441 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(746): [client 10.65.65.199:59618] AH02255: Changed client verification type will force renegotiation
[Thu Mar 04 15:50:05.376454 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH02221: Requesting connection re-negotiation
[Thu Mar 04 15:50:05.376517 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(975): [client 10.65.65.199:59618] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Mar 04 15:50:05.376617 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH02226: Awaiting re-negotiation handshake
[Thu Mar 04 15:50:05.498008 2021] [ssl:debug] [pid 24140:tid 140137550751488] ssl_engine_kernel.c(1741): [client 10.65.65.199:59618] AH02275: Certificate Verification,C=DE / serial: 04 / notbefore: Mar 18 00:00:00 2018 GMT / notafter: Oct 18 00:00:00 2026 GMT]
[Thu Mar 04 15:50:05.498078 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=XYZ Co Server TEST CA 13,C=DE / serial: 04 / notbefore: Mar 18 00:00:00 2018 GMT / notafter: Oct 18 00:00:00 2026 GMT]
[Thu Mar 04 15:50:05.498183 2021] [ssl:error] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH02261: Re-negotiation handshake failed
[Thu Mar 04 15:50:05.498223 2021] [ssl:error] [pid 24140:tid 140137550751488] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
[Thu Mar 04 15:50:05.498280 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH02008: SSL library error 1 in handshake (server machine.xyz.com:443)
[Thu Mar 04 15:50:05.498299 2021] [ssl:info] [pid 24140:tid 140137550751488] SSL Library Error: error:140800FF:SSL routines:ssl3_accept:unknown state
[Thu Mar 04 15:50:05.498314 2021] [ssl:info] [pid 24140:tid 140137550751488] [client 10.65.65.199:59618] AH01998: Connection closed to child 322 with abortive shutdown (server machine.xyz.com:443)
Apache 版本
$ httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
event.c
$ httpd -v
Server version: Apache/2.4.46 (Unix)
Server built: Dec 23 2020 08:36:14
Apache 配置
<VirtualHost _default_:8447>
ServerAdmin some-support@xyz.com
ServerName machine.xyz.com
ServerAlias machine.xyz.com
DocumentRoot /applications/apache2/htdocs_dev
SSLEngine on
## Strengthen Ciphers
# Enable TLSv1.2,disable SSLv3.0,TLSv1.0 and TLSv1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Enable modern TLS cipher suites
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# The order of cipher suites matters
SSLHonorCipherOrder on
# Disable TLS compression
SSLCompression on
# Necessary for Perfect Forward Secrecy (PFS)
SSLSessionTickets off
SSLCertificateFile /applications//pki/tls/certs/machine.xyz.com_8447.crt
SSLCertificateKeyFile /applications/pki/tls/certs/machine.xyz.com_8447.key
SSLCertificateChainFile /applications/pki/tls/certs/xyz-sslca-certificate.crt
<Location /data-requests/secure>
SSLVerifyClient require
#SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
</Location>
</VirtualHost>
解决方法
您使用的证书可能对相互身份验证无效。您需要确保客户端证书具有 ClientAuth 扩展密钥用法。 https://en.wikipedia.org/wiki/X.509 讨论证书上的扩展密钥用法参数。同样,服务器必须具有 ServerAuth 扩展密钥用法。
在 Apache2/curl 之外,您可以使用 Verify a certificate chain using openssl verify
中讨论的openssl verify
命令
在您当前使用 SSLVerifyClient optional_no_ca
的配置中,有人可以使用来自不同 CA 的匹配 CN 生成证书。 require
而不是 optional_no_ca
的要点是它检查证书是否来自受信任的 CA。在这种情况下,您需要确保在 SSLCACertificateFile
或 SSLCACertificatePath
中引用了受信任的 CA。
1:https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatepath
,嗨 Jojajak - 非常感谢您的及时回复。它让我解决了我的问题。
您的 ONE 帖子使我对这一领域的了解增加了十倍。
验证完整的证书
openssl verify -CAfile 'XYZ Company Root TEST CA 13.crt' -untrusted 'XYZ Company TEST CA 13.crt' client-machine.xyz.com_Testing-DoD-Application.crt
client-machine.xyz.com_Testing-DoD-Application.crt: OK
确认扩展密钥使用
openssl x509 -in client-machine.xyz.com_Testing-DoD-Application.crt -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
. . . .
问题是我没有在我的 Apache2 配置中使用 SSLCACertificateFile
。我将 SSLCertificateChainFile
复制为 SSLCACertificateFile
并且它起作用了。
SSLCertificateFile /applications/pki/tls/certs/machine.xyz.com_8447.crt
SSLCertificateKeyFile /applications/pki/tls/certs/machine.xyz.com_8447.key
SSLCertificateChainFile /applications/pki/tls/certs/xyz-sslca-certificate.crt
## Below was the missing parameter. Duh!
SSLCACertificateFile /applications/pki/tls/certs/xyz-sslca-certificate.crt
问题结束,成功。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。