Назад | Перейти на главную страницу

Взаимная аутентификация Apache 2.4 - AH01797: клиент отклонен конфигурацией сервера

Итак, я пытаюсь настроить взаимную аутентификацию Apache 2.4 в конфигурации виртуального хоста.

Что мне не хватает в приведенной ниже среде?

Сервер: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r

Клиент: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-бит)

Пока у меня есть:

Для проверки сертификатов я запустил:

# openssl s_client -connect www.example.com:443 \
  -cert ./client.crt \
  -key ./client.key \
  -CAfile ./CA/ca.crt \
  -state -debug

Ведьма заканчивается Verify return code: 0 (ok) но без знака сертификата клиента на выходе.
Полный вывод позже.

Все это привело к ошибке: AH01797: client denied by server configuration

Конфигурация Apache VirtualHost:

<VirtualHost www.example.com:443>

    ServerName www.example.com
    ServerAdmin webmaster@example.com

    DocumentRoot "/home/username/local/www/php-dev"

    ErrorLog /home/username/local/www/log/example.com-username.error.log
    TransferLog /home/username/local/www/log/example.com-username.access.log

    SSLEngine on
    #SSLVerifyClient none
    SSLCertificateFile      "/etc/httpd/certs/www.example.com.crt"
    SSLCertificateKeyFile   "/etc/httpd/certs/www.example.com.key"
    #SSLCACertificatePath   "/etc/httpd/certs"
    SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
    SSLCACertificateFile    "/etc/httpd/certs/ca.crt"

    <Directory "/home/username/local/www/php-dev">
        Options +Indexes +FollowSymLinks +MultiViews -Includes

        #RewriteEngine on
        #RewriteBase /

        AllowOverride None
        #AllowOverride AuthConfig

        Order allow,deny
        Require all granted

        # require a client certificate which has to be directly
        # signed by our CA certificate in ca.crt
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        SSLOptions              +FakeBasicAuth
        #SSLRequire             (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")

        # Use this option to match on DNS (This is working)
        #Require                    forward-dns client.example.com
        #Require                    valid-user

    </Directory>

</VirtualHost>

Результат теста OpenSSL:

# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54   ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0130 - 01                                                .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00                              ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1   .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01   ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23                                    ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82   ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86   .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36   .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9   ..5.T"v.....L...
0720 - 43 2a 58                                          C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d                                    ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52   ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a   z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6   .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47            l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04                                    .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00                                       ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6   ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71                  4...m..@..q
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74   ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d   F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b            .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca                                    .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e   .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f   .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25   ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59                     .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01                                    .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28                                    ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37   w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84   ^...+.@....S.N..
0020 - 2b ad dc 68 07 b7 cc 28-                          +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
   i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
 1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
   i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
    Session-ID-ctx: 
    Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de   .......Y*fF.....
    0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18   ..x...=.ck..6su.
    ( **CUT )
    00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e   ........7Xw.W..>
    00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59    C..%%.:.......Y

    Start Time: 1555651633
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a                                    .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69   w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c                     .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a   ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30      .=....?....+..0
SSL3 alert write:warning:close notify

Хорошо, я понял.

Я скучал Allow from All в конфигурации Apache VirtualHost.

Чтобы найти точный ответ, потребовалось много времени.

Этот ответ на переполнение стека поставил меня на верный путь.

И вот этот тоже был полезен.