2

I have configured an SSL certificate which will be acting as a client certificate and connecting to a remote server on port 100 over SSL.

In my apache config i have done the following configuration for SSL:

SSLProxyEngine on
SSLProxyVerify optional
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off


SSLProxyMachineCertificateFile          /opt/SP/apps/proxy/conf/certs/es_snf_prx_prd_cert.pem
SSLProxyCACertificateFile              /opt/SP/apps/proxy/conf/certs/esprx/vf_es_ca_cert_browser_exp.pem

To test my SSL client certificate i have tried connecting to remote server via curl as following and got the SSL connect error:

curl -vvvv --cert '/opt/SP/apps/proxy/conf/certs/es_snf_prx_prd_cert.pem' "https://47.60.13.249:100/"
* About to connect() to 47.60.13.249 port 100 (#0)
*   Trying 47.60.13.249... connected
* Connected to 47.60.13.249 (47.60.13.249) port 100 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

How to i fix this and test my SSL connection with remote server using client certificate ?

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
Mayur Kadam
  • 145
  • 1
  • 12
  • Your configuration does not include any certificate for the server itself (i.e. `SSLCertificateFile` and `SSLCertificateKeyFile`) which means that SSL to the server will not work. See also the error log from apache. – Steffen Ullrich Nov 30 '19 at 11:00
  • Hi Steffen, i have indeed included the certs for the server itself but not mentioned here. Here is the config for same: SSLCertificateFile /var/SP/data/apache/ssl/server.int.com.ssl.pem SSLCertificateKeyFile /var/SP/data/apache/ssl/server.int.com-key-nopass.pem SSLCACertificateFile /var/SP/data/apache/ssl/server.int.com_cert_ca.pem – Mayur Kadam Nov 30 '19 at 11:19
  • To cite myself: *"See also the error log from apache."*. Have you checked this? Maybe it has trouble loading the certificates due to wrong path or permission problems or similar. – Steffen Ullrich Nov 30 '19 at 12:55
  • I see the following error but it does not seem to be related to the issue . [Sat Nov 30 19:38:05.471843 2019] [ssl:debug] [pid 7690:tid 140613062199040] ssl_engine_io.c(1367): (70014)End of file found: [client 172.17.219.166:42753] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Sat Nov 30 19:38:05.471854 2019] [ssl:info] [pid 7690:tid 140613062199040] [client 172.17.219.166:42753] AH01998: Connection closed to child 76 with abortive shutdown (server server.int.com:443). pls open the question as its still not clear. – Mayur Kadam Nov 30 '19 at 19:49
  • Never use cURL to debug Apache, you'll end up debugging errors with no relation with Apache behavior. As I see it, cURL doesn't have the proper CA and won't connect (no surprise here since it doesn't use the same files). If you want to test SSL connection between Apache and a remote server, use Apache to test it, raise the log level if you need to. – Andre Gelinas Dec 01 '19 at 15:07

0 Answers0