Apache 2.4 mutual authentication - AH01797: client denied by server configuration Announcing...
Why do we bend a book to keep it straight?
How were pictures turned from film to a big picture in a picture frame before digital scanning?
How would a mousetrap for use in space work?
Time to Settle Down!
How to react to hostile behavior from a senior developer?
Is there a kind of relay that only consumes power when switching?
What does it mean that physics no longer uses mechanical models to describe phenomena?
How could we fake a moon landing now?
Hangman Game with C++
Disembodied hand growing fangs
Converted a Scalar function to a TVF function for parallel execution-Still running in Serial mode
Denied boarding although I have proper visa and documentation. To whom should I make a complaint?
How can I reduce the gap between left and right of cdot with a macro?
Take 2! Is this homebrew Lady of Pain warlock patron balanced?
Should I use a zero-interest credit card for a large one-time purchase?
How do I use the new nonlinear finite element in Mathematica 12 for this equation?
How do I change colors in Zim (wiki editor) running on Kubuntu 18.10?
Significance of Cersei's obsession with elephants?
A term for a woman complaining about things/begging in a cute/childish way
Illegal assignment from sObject to Id
If Windows 7 doesn't support WSL, then what does Linux subsystem option mean?
What order were files/directories outputted in dir?
Generate an RGB colour grid
Why weren't discrete x86 CPUs ever used in game hardware?
Apache 2.4 mutual authentication - AH01797: client denied by server configuration
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Apache 2.4 proxy server gets Client Authentication but doesn't pass it to tomcatApache 2.4 + SVN authz authentication with mixed authenticated/anonymous accessAH01630: client denied by server configuration ApacheApache 2.4 and server-info authentication accessapache 2.4 access denied compatApache 2.4 Redundant LDAP AuthenticationApache upgrade to 2.4, now AH01797: client denied by server configurationApache: Client denied by server configurationSSL_ERROR_RX_RECORD_TOO_LONG certbotClient denied by server configuration on Apache 2.4
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
0
So I'm trying to set up Apache 2.4 mutual authentication on a virtual host configuration.
Given the below environment, what am I missing?
Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r
Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)
So far I have:
- Generated a self-signed root certificate (CA).
- Generated a server key pair, signed by CA.
- Generated a client key pair, signed by CA.
- Generated a client .p12 certificate from client key pair and CA.
- Added CA to
/usr/local/share/ca-certificates/, and ran# update-ca-certificates -v
- In Firefox, imported CA under
Certificate Manager, Authorities. - In Firefox, imported .p12 certificate under
Certificate Manager, Your Certificates. - Configure Apache to use server certificates. Yay, that's working.
To test certificates I ran:
# openssl s_client -connect www.example.com:443
-cert ./client.crt
-key ./client.key
-CAfile ./CA/ca.crt
-state -debug
Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.
All this resulted in an error: AH01797: client denied by server configuration
Apache VirtualHost Configuration:
<VirtualHost www.example.com:443>
ServerName www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/home/username/local/www/php-dev"
ErrorLog /home/username/local/www/log/example.com-username.error.log
TransferLog /home/username/local/www/log/example.com-username.access.log
SSLEngine on
#SSLVerifyClient none
SSLCertificateFile "/etc/httpd/certs/www.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/certs/www.example.com.key"
#SSLCACertificatePath "/etc/httpd/certs"
SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
SSLCACertificateFile "/etc/httpd/certs/ca.crt"
<Directory "/home/username/local/www/php-dev">
Options +Indexes +FollowSymLinks +MultiViews -Includes
#RewriteEngine on
#RewriteBase /
AllowOverride None
#AllowOverride AuthConfig
Order allow,deny
Require all granted
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")
# Use this option to match on DNS (This is working)
#Require forward-dns client.example.com
#Require valid-user
</Directory>
</VirtualHost>
OpenSSL test output:
# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54 ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00 ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1 .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23 ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82 ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86 .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36 .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9 ..5.T"v.....L...
0720 - 43 2a 58 C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52 ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6 .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47 l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6 ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71 4...m..@..q
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74 ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25 ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59 .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37 w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84 ^...+.@....S.N..
0020 - 2b ad dc 68 07 b7 cc 28- +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
Session-ID-ctx:
Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de .......Y*fF.....
0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18 ..x...=.ck..6su.
( **CUT )
00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e ........7Xw.W..>
00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59 C..%%.:.......Y
Start Time: 1555651633
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69 w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30 .=....?....+..0
SSL3 alert write:warning:close notify
apache-2.4 authentication self-signed-certificate
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
add a comment |
0
So I'm trying to set up Apache 2.4 mutual authentication on a virtual host configuration.
Given the below environment, what am I missing?
Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r
Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)
So far I have:
- Generated a self-signed root certificate (CA).
- Generated a server key pair, signed by CA.
- Generated a client key pair, signed by CA.
- Generated a client .p12 certificate from client key pair and CA.
- Added CA to
/usr/local/share/ca-certificates/, and ran# update-ca-certificates -v
- In Firefox, imported CA under
Certificate Manager, Authorities. - In Firefox, imported .p12 certificate under
Certificate Manager, Your Certificates. - Configure Apache to use server certificates. Yay, that's working.
To test certificates I ran:
# openssl s_client -connect www.example.com:443
-cert ./client.crt
-key ./client.key
-CAfile ./CA/ca.crt
-state -debug
Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.
All this resulted in an error: AH01797: client denied by server configuration
Apache VirtualHost Configuration:
<VirtualHost www.example.com:443>
ServerName www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/home/username/local/www/php-dev"
ErrorLog /home/username/local/www/log/example.com-username.error.log
TransferLog /home/username/local/www/log/example.com-username.access.log
SSLEngine on
#SSLVerifyClient none
SSLCertificateFile "/etc/httpd/certs/www.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/certs/www.example.com.key"
#SSLCACertificatePath "/etc/httpd/certs"
SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
SSLCACertificateFile "/etc/httpd/certs/ca.crt"
<Directory "/home/username/local/www/php-dev">
Options +Indexes +FollowSymLinks +MultiViews -Includes
#RewriteEngine on
#RewriteBase /
AllowOverride None
#AllowOverride AuthConfig
Order allow,deny
Require all granted
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")
# Use this option to match on DNS (This is working)
#Require forward-dns client.example.com
#Require valid-user
</Directory>
</VirtualHost>
OpenSSL test output:
# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54 ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00 ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1 .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23 ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82 ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86 .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36 .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9 ..5.T"v.....L...
0720 - 43 2a 58 C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52 ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6 .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47 l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6 ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71 4...m..@..q
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74 ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25 ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59 .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37 w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84 ^...+.@....S.N..
0020 - 2b ad dc 68 07 b7 cc 28- +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
Session-ID-ctx:
Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de .......Y*fF.....
0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18 ..x...=.ck..6su.
( **CUT )
00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e ........7Xw.W..>
00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59 C..%%.:.......Y
Start Time: 1555651633
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69 w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30 .=....?....+..0
SSL3 alert write:warning:close notify
apache-2.4 authentication self-signed-certificate
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
add a comment |
0
0
0
So I'm trying to set up Apache 2.4 mutual authentication on a virtual host configuration.
Given the below environment, what am I missing?
Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r
Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)
So far I have:
- Generated a self-signed root certificate (CA).
- Generated a server key pair, signed by CA.
- Generated a client key pair, signed by CA.
- Generated a client .p12 certificate from client key pair and CA.
- Added CA to
/usr/local/share/ca-certificates/, and ran# update-ca-certificates -v
- In Firefox, imported CA under
Certificate Manager, Authorities. - In Firefox, imported .p12 certificate under
Certificate Manager, Your Certificates. - Configure Apache to use server certificates. Yay, that's working.
To test certificates I ran:
# openssl s_client -connect www.example.com:443
-cert ./client.crt
-key ./client.key
-CAfile ./CA/ca.crt
-state -debug
Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.
All this resulted in an error: AH01797: client denied by server configuration
Apache VirtualHost Configuration:
<VirtualHost www.example.com:443>
ServerName www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/home/username/local/www/php-dev"
ErrorLog /home/username/local/www/log/example.com-username.error.log
TransferLog /home/username/local/www/log/example.com-username.access.log
SSLEngine on
#SSLVerifyClient none
SSLCertificateFile "/etc/httpd/certs/www.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/certs/www.example.com.key"
#SSLCACertificatePath "/etc/httpd/certs"
SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
SSLCACertificateFile "/etc/httpd/certs/ca.crt"
<Directory "/home/username/local/www/php-dev">
Options +Indexes +FollowSymLinks +MultiViews -Includes
#RewriteEngine on
#RewriteBase /
AllowOverride None
#AllowOverride AuthConfig
Order allow,deny
Require all granted
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")
# Use this option to match on DNS (This is working)
#Require forward-dns client.example.com
#Require valid-user
</Directory>
</VirtualHost>
OpenSSL test output:
# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54 ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00 ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1 .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23 ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82 ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86 .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36 .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9 ..5.T"v.....L...
0720 - 43 2a 58 C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52 ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6 .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47 l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6 ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71 4...m..@..q
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74 ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25 ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59 .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37 w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84 ^...+.@....S.N..
0020 - 2b ad dc 68 07 b7 cc 28- +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
Session-ID-ctx:
Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de .......Y*fF.....
0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18 ..x...=.ck..6su.
( **CUT )
00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e ........7Xw.W..>
00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59 C..%%.:.......Y
Start Time: 1555651633
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69 w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30 .=....?....+..0
SSL3 alert write:warning:close notify
apache-2.4 authentication self-signed-certificate
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
So I'm trying to set up Apache 2.4 mutual authentication on a virtual host configuration.
Given the below environment, what am I missing?
Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r
Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)
So far I have:
- Generated a self-signed root certificate (CA).
- Generated a server key pair, signed by CA.
- Generated a client key pair, signed by CA.
- Generated a client .p12 certificate from client key pair and CA.
- Added CA to
/usr/local/share/ca-certificates/, and ran# update-ca-certificates -v
- In Firefox, imported CA under
Certificate Manager, Authorities. - In Firefox, imported .p12 certificate under
Certificate Manager, Your Certificates. - Configure Apache to use server certificates. Yay, that's working.
To test certificates I ran:
# openssl s_client -connect www.example.com:443
-cert ./client.crt
-key ./client.key
-CAfile ./CA/ca.crt
-state -debug
Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.
All this resulted in an error: AH01797: client denied by server configuration
Apache VirtualHost Configuration:
<VirtualHost www.example.com:443>
ServerName www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/home/username/local/www/php-dev"
ErrorLog /home/username/local/www/log/example.com-username.error.log
TransferLog /home/username/local/www/log/example.com-username.access.log
SSLEngine on
#SSLVerifyClient none
SSLCertificateFile "/etc/httpd/certs/www.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/certs/www.example.com.key"
#SSLCACertificatePath "/etc/httpd/certs"
SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
SSLCACertificateFile "/etc/httpd/certs/ca.crt"
<Directory "/home/username/local/www/php-dev">
Options +Indexes +FollowSymLinks +MultiViews -Includes
#RewriteEngine on
#RewriteBase /
AllowOverride None
#AllowOverride AuthConfig
Order allow,deny
Require all granted
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")
# Use this option to match on DNS (This is working)
#Require forward-dns client.example.com
#Require valid-user
</Directory>
</VirtualHost>
OpenSSL test output:
# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54 ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00 ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1 .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23 ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82 ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86 .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36 .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9 ..5.T"v.....L...
0720 - 43 2a 58 C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52 ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6 .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47 l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6 ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71 4...m..@..q
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74 ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25 ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59 .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37 w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84 ^...+.@....S.N..
0020 - 2b ad dc 68 07 b7 cc 28- +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
Session-ID-ctx:
Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de .......Y*fF.....
0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18 ..x...=.ck..6su.
( **CUT )
00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e ........7Xw.W..>
00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59 C..%%.:.......Y
Start Time: 1555651633
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69 w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30 .=....?....+..0
SSL3 alert write:warning:close notify
apache-2.4 authentication self-signed-certificate
apache-2.4 authentication self-signed-certificate
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
asked 5 mins ago
Mogens TrasherDKMogens TrasherDK
111
111
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963770%2fapache-2-4-mutual-authentication-ah01797-client-denied-by-server-configuratio%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963770%2fapache-2-4-mutual-authentication-ah01797-client-denied-by-server-configuratio%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
