Client certificate authentication sslv3 alert handshake failure when Location directive is set

Question

I am trying to setup Client Certificate Authentication for a web service that is running on Rails. The service is running on apache2, passenger, and mod_ssl. I have been able to successfully generate the keys and setup the Client Certificate authentication for the entire domain. This works fine, however, when I try to include the Location directive I always get this error (from browsers and ruby client):

SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError).  

When I run the command from curl I get this error:

curl: (52) Empty reply from server

I remove the directive and it works fine. This what my confiration for this virtual host looks like.

 <VirtualHost *:443 *:80>
    ServerName wrangler.optimis.local
    DocumentRoot "/Users/jmoore/Sites/data-wrangler/public/"
    RackEnv development
    ErrorLog "/Users/jmoore/Sites/data-wrangler/log/error.log"
    CustomLog "/Users/jmoore/Sites/data-wrangler/log/access.log" common
    SetEnv GEM_HOME /Users/jmoore/.rvm/gems/ree-1.8.7-2010.02
    SetEnv GEM_PATH /Users/jmoore/.rvm/gems/ree-1.8.7-2010.02

# Enable SSL on this domain
SSLEngine on
SSLProtocol ALL
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl.key/new/wrangler_servercert.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/new/wrangler_server.nopass.key

# Enable SSL client certificates, but disable verification for the entire domain (we only want it on specific URLs)
#SSLCACertificatePath /etc/apache2/ssl.key/new/demoCA
SSLCACertificateFile /etc/apache2/ssl.key/new/demoCA/cacert.pem
#SSLCertificateChainFile /etc/apache2/ssl.key/new/demoCA/cacert.pem
#SSLVerifyClient require
SSLVerifyClient none
#SSLVerifyDepth 1

<Location /test>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

 </VirtualHost>

My research has indicated that this is usually caused by bad certificates so I have regenerated the certificates several times and each time it works fine for the entire domain but gives the handshake error when I try to limit to just one location. Since these configurations are suggested by the apache documentation I am not sure what is going wrong. Does anybody know how to resolve the handshake problem that happens when you try to limit the client authentication to one location?

Answer 1

Does your server support the TLS renegotiation extension (RFC 5746)? Does it have a version of OpenSSL that blocks renegotiation altogether (which was the interim fix for CVE-2009-3555)?

If SSLVerifyClient is limited to a Location, this entails a second handshake to renegotiate the client-certificate. This is where the security issue in SSL/TLS (CVE-2009-3555) was happening and what RFC 5746 fixes (provided the client supports it too).

More information on the versions in this StackOverflow answer.

Answer 2

The problem is the SSLVerifyClient directive. If located inside a Location or Directory, you will get this problem. The SSLVerifyClient require and SSLVerifyDepth must be set at the Virtual Host Level.