0

i'm trying to implement SSL (HTTPs) on my local web-server to protect specified directories on Apache's websites where a user log's-in, combining SSL and HTTP Authentication Basic. I have follow guides here and apache's mod_ssl mostly. I have setup a local CA and create CA's certificate "cacert.pem":

sudo openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/CA/private/cakey.pem -out /etc/ssl/CA/cacert.pem -days 3650
sudo openssl ca -gencrl -out /etc/ssl/CA/crl/crl.pem

Created keys and certificates:

sudo openssl genrsa -out webserver.key 2048
sudo openssl req -new -key webserver.key -out webserver.csr
sudo openssl ca -in webserver.csr -config /etc/ssl/openssl.cnf
# and now we have generated sighted certifivate "webserver.pem"
sudo openssl genrsa -out website.key 2048
sudo openssl req -new -key website.key -out website.csr
sudo openssl ca -in website.csr -config /etc/ssl/openssl.cnf
# and now we have generated sighted certifivate "website.crt"
sudo openssl pkcs12 -export -clcerts -in website.crt -inkey website.key -out website.p12

I have enable mod_ssl and edit the lines in default-ssl:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile    /path/to/apache/webserver.pem
    SSLCertificateKeyFile /path/to/apache/webserver.key
    SSLCACertificatePath /etc/ssl/CA/certs/
    SSLCACertificateFile /etc/ssl/CA/cacert.pem
    SSLCARevocationPath /etc/ssl/CA/crl/
    SSLCARevocationFile /etc/ssl/CA/crl/crl.pem
</VirtualHost>
</IfModule>

My local website.conf (inside sites-enabled) looks like this:

<VirtualHost *:80>
    ServerAdmin admin@website.com
    ServerName local.website.com
    DocumentRoot /path/to/public_html
    ErrorLog /path/to/error_log
    CustomLog /path/to/access_log combined
    DirectoryIndex index.php index.html
    <Directory /path/to/public_html>
        Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
    </Directory>
</VirtualHost>
<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin admin@gwebsite.com
        ServerName local.website.com
        DocumentRoot /path/to/public_html

        SSLEngine on
        SSLVerifyClient      none
        SSLCertificateFile /path/to/website.crt
        SSLCertificateKeyFile /path/to/website.key

        <Location /secure_area >
            SSLRequireSSL
        </Location>

    </VirtualHost>
</IfModule>

My .htacces inside the folder that i need to protect look's like this:

### Redirecting ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{SERVER_PORT} !^443$
    RewriteCond %{REQUEST_URI} ^/secure_area(/)?$
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</IfModule>

### HTTP Authentication ###
<IfModule mod_authn_file.c>
    AuthType Basic
#   SSLRequireSSL
#   SSLVerifyClient      require    
    SSLVerifyDepth       3
    SSLCipherSuite       RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLOptions           +FakeBasicAuth     
    AuthName "Restricted Area."
    AuthUserFile /path/to/htpasswd
    <Limit GET POST>
        Require valid-user
    </Limit>
    Satisfy All
</IfModule>

Work's fine, but if i uncomment "SSLVerifyClient" my browser return's a message "Error code: ssl_error_handshake_failure_alert". Also if i uncomment "SSLRequireSSL"(and remove it from my website.conf) it redirect's to my error page. What am i doing wrong? Am I missing something here? Where seem's to be the problem? certificates, apache or something else?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
ioaniatr
  • 131
  • 1
  • 4
  • Examine the ssl error logs, typically in `/var/log/httpd` – KM. Dec 07 '14 at 18:06
  • [Sun Dec 07 21:34:18 2014] [error] [client 127.0.0.1] Re-negotiation handshake failed: Not accepted by client!? [Sun Dec 07 21:34:18 2014] [error] [client 127.0.0.1] Re-negotiation request failed [Sun Dec 07 21:34:18 2014] [error] SSL Library Error: 336117909 error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed – ioaniatr Dec 07 '14 at 19:35
  • The above is created on ssl error. Which means ? – ioaniatr Dec 07 '14 at 19:36
  • Looks like the browser (aka client) you're connecting with does not have the necessary certificates. Are your certs self-signed? If you don't need the client to send a certificate, you can remove `SSLVerifyClient`. If that is a must, then try importimg the CA and server certificate into your browser (consult browser's docs). – KM. Dec 08 '14 at 13:37
  • My certs are signed from my local CA. Looks like i need to import my local CA into browser's trusted CAs. Found something for firefox here `http://www.cyberciti.biz/faq/firefox-adding-trusted-ca/`. The `website.crt` is imported from user when trie's to access using https. If i uncomment `SSLVerifyClient`,i also need to import `webserver.pem` and `cacert.pem` into every browser that i want to access this page? Also with commented out `SSLVerifyClient` and uncommented `SSLVerifyDepth` my browser redirect's into error page an throw's `Unexpected Error Code`. Strange, is that normal ? – ioaniatr Dec 10 '14 at 12:06
  • Well, `Unexpected Error Code` is not for ucnommented `SSLVerifyDepth` option after-all. Something else is going on, and no errors in (knowing) logs anywhere so far. Working out for that... – ioaniatr Dec 10 '14 at 12:37
  • Found it, `Unexpected Error Code` is for `Require valid-user`. Any idea? – ioaniatr Dec 10 '14 at 12:41
  • @ioaniatr , did you find root cause and solution for the error Re-negotiation handshake failed..... posted by you from error log? If yes can you please post your RCA and answer here. Thanks – Vishal Singh Sep 12 '17 at 11:48

0 Answers0