使用Apache 2.2和OpenSSL 1.0.1e-fips的双向SSL身份validation

我有一台CentOS 6服务器,运行Apache 2.2.15和OpenSSL 1.0.1e-fips。 我正在尝试为Web根目录中的特定位置设置双向SSL身份validation。 第三方提供了公共(纯文本)和私人(二进制)证书。

我需要一些关于如何包括公共和私人证书以获得握手工作的指导,因为我收到以下错误:

重新协商握手失败:不被客户接受!

以下是我在本节的/etc/httpd/conf.d/ssl.conf文件中的内容:

<Location /api/path/> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCACertificateFile /etc/pki/tls/private/public.cer SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate </Location> 

诚然,我不是一个SSL专家。 我知道足够的证书安装和工作。 我已经把logginf变成了“debugging”级别。 我试图遵循这些指南:

Configuring two-way authentication SSL with Apache

http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html

提前致谢!

完整的ssl.conf文件:

 LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLCryptoDevice builtin #SSLCryptoDevice ubsec <VirtualHost *:443> DocumentRoot "/var/www/html/staging-site" ServerName staging.site.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel debug SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/cert.crt SSLCertificateKeyFile /etc/pki/tls/private/private.key #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt SSLCACertificateFile /etc/pki/tls/certs/rapidssl.crt #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> <Location /path/api/> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCACertificateFile /etc/pki/tls/private/3rdpartyprivate.cer SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate </Location> # SSL Engine Options: #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> 

我认为你没有在正确的地方使用正确的证书。 您应该使用由SSLCertificateFile (PEM格式的证书), SSLCertificateKeyFile (与PEM格式相匹配的密钥中的证书)和SSLCertificateChainFile (从主机证书颁发机构证书开始直到并包括PEM格式的根证书)。

SSLCACertificateFile您必须使用签署客户证书的CA的证书(也是PEM格式)。

下面是一个完整的示例,请记住,我正在使用由同一个CA签署的服务器证书,为此签署了客户的证书。 如果您的需求不同,请调整

  • 生成证书openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=Some State/L=FancyTown/O=SomeOrg/CN=Self-Signed CA" openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr -subj "/C=US/ST=Some State/L=FancyTown/O=SomeOrg/CN=client" openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr -subj "/C=US/ST=Some State/L=FancyTown/O=SomeOrg/CN=server" openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt

  • 将它们移动到更方便的位置mkdir /etc/ssl_ ; mv * /etc/ssl_ mkdir /etc/ssl_ ; mv * /etc/ssl_

  • 安装webserver和mod_ssl yum install -y httpd mod_ssl

  • 清除默认的TLSconfigurationtruncate -s0 /etc/httpd/conf.d/ssl.conf

  • 所有VHost的通用TLSconfiguration, /etc/httpd/conf.d/00-ssl.conf /httpd/conf.d/00-ssl.conf“`LoadModule ssl_module modules / mod_ssl.so

Listen 443 https SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLStaplingCache shmcb:/ run / httpd / stapling_cache(128000)SSLUseStapling off

SSLPassPhraseDialog exec:/ usr / libexec / httpd-ssl-pass-dialog SSLSessionCache shmcb:/ run / httpd / sslcache(512000)SSLSessionCacheTimeout 300 SSLRandomSeed启动文件:/ dev / urandom 256 SSLRandomSeed连接内置SSLCryptoDevice内置

SSLStrictSNIVHostCheckclosuresSSLProtocol + TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 SSLHonorCipherOrder on

SSLCompression off SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-RC4- RSA-AE S256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA :DHE-RSA-AES128-SHA:-RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128- CAMELLIA128-SHA“`

  • VHostconfiguration/etc/httpd/conf.d/50-ssl-vhost.conf

ServerAlias localhost.localdomain localhost ServerName服务器SSLCertificateFile上的SSLEngine /etc/_ssl/server.crt SSLCertificateKeyFile /etc/_ssl/server.key SSLCertificateChainFile /etc/_ssl/ca.crt SSLCACertificateFile /etc/_ssl/ca.crt

  SSLVerifyClient require SSLVerifyDepth 10 DocumentRoot /var/www/html <Directory /var/www/html> Require all granted </Directory> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log 

“`

  • 创build一个index.html文件来testingecho 'It works\!' > /var/www/html/index.html echo 'It works\!' > /var/www/html/index.html

  • 启动httpd

systemctl enable --now httpd

  • 添加主机名

echo '127.0.1.1 server' >> /etc/hosts

  • testing

这个工程(auth ok):( ( echo -en 'GET / HTTP/1.1\r\nHost: server\r\n\r\n' ; sleep 2) | openssl s_client -CAfile /etc/_ssl/ca.crt -cert /etc/_ssl/client.crt -key /etc/_ssl/cli ent.key -connect server:443 -servername server ( echo -en 'GET / HTTP/1.1\r\nHost: server\r\n\r\n' ; sleep 2) | openssl s_client -CAfile /etc/_ssl/ca.crt -cert /etc/_ssl/client.crt -key /etc/_ssl/cli ent.key -connect server:443 -servername server

这不,我们没有提供一个正确的证书:

( echo -en 'GET / HTTP/1.1\r\nHost: server\r\n\r\n' ; sleep 2) | openssl s_client -CAfile /etc/_ssl/ca.crt -connect server:443 -servername server

对于我们的情况,我们做了三个变化:

  1. 取消注释SSLCertificateChainFile并将其设置为RapidSSL的证书链文件(谁颁发了我们的证书)。

  2. 将SSLCACertificateFile更改为第三方发行人(颁发其证书)的CA链文件。

  3. 从指令中删除了SSLCACertificateFile。

一旦我们改变这些并重新启动,双向身份validation工作,他们能够访问该API。

感谢@fuero的帮助。