Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

Topic # 193464 11-Mar-2016 22:05
Send private message

I have a site on my Apache server that I have secured with certificate authentication. The client certificates are signed by the CA I created with OpenSSL and the HTTPS SSL certificate is from StartSSL.

 

If I open the site in Firefox, confirm the client certificate at the prompt it works beautifully! But if I do the same in IE or Chrome, I get a generic unhelpful message in IE, and Chrome reports "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED".

 

I've done some googling to no avail. All the responses seem to be limited to old browsers/OS that do not support TLS1.2. I can see from Firefox that the connection is working nicely with TLS1.2 so I am stumped as to why it's not working in the other browsers. If I turn the auth off in Apache the site loads on all browsers fine and passes with an A rating on SSLLabs.com

 

There is nothing in my apache error log, so it seems to be a client side error.

 

Anyone come across this before or have any ideas?





Twitter: ajobbins


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
257 posts

Ultimate Geek
+1 received by user: 83


  Reply # 1511629 11-Mar-2016 22:19
Send private message

Did you install StartSSL CA certificate (and the intermediate ones if they provide them) on Apache?


gzt

9834 posts

Uber Geek
+1 received by user: 1472


  Reply # 1511640 11-Mar-2016 22:43
Send private message

Where is the client certificate installed? From memory (on Windows) Firefox has its own thing, but IE and Chrome use the machine Windows/Microsoft Certificate store.

489 posts

Ultimate Geek
+1 received by user: 104

Subscriber

  Reply # 1511642 11-Mar-2016 22:46
Send private message

What version of windows, chrome and IE? As above firefox keeps its own CA store so it may be an issue with the windows CA store. Have you tried another windows PC?





Geoff E



Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 1511644 11-Mar-2016 22:46
Send private message

marpada:

 

Did you install StartSSL CA certificate (and the intermediate ones if they provide them) on Apache?

 

 

Yes, and it's not a StartSSL issue - that part all works fine. It's the client certificate auth with is self signed with the CA I created with OpenSSL. And Firefox is happy and it all works fine. I've even added my CA to the windows trust store so it trusts the self signed cert, but it still doesn't help.

 

I've just done a wireshark trace too. It's client (browser) side without a doubt. IE and Chrome just stop right after SSL connection (The StartSSL bit) and just before the client certificate auth is done - nothing over the wire from that point.

 

Have tried with 3 different machines on two networks. Two Win 10 and one Win 7





Twitter: ajobbins




Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 1511651 11-Mar-2016 22:51
Send private message

gzt: Where is the client certificate installed? From memory (on Windows) Firefox has its own thing, but IE and Chrome use the machine Windows/Microsoft Certificate store.

 

 

 

Yes, IE and Chrome appear to share the windows cert store. But it's there - just no idea why it doesn't like it! The browser error messages are not at all helpful.

 

Click to see full size





Twitter: ajobbins


241 posts

Master Geek
+1 received by user: 38


  Reply # 1511675 12-Mar-2016 00:22
Send private message

 

 

did you add this to your apache2.conf ?

 

SSLEngine on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

 

SSLCertificateKeyFile /etc/apache2/ssl/site/domain.key

 

SSLCertificateFile /etc/apache2/ssl/site/domain.crt

 

SSLCACertificateFile /etc/apache2/ssl/site/bundle.crt

 

SSLHonorCipherOrder on

 

SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"

 

BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


gzt

9834 posts

Uber Geek
+1 received by user: 1472


  Reply # 1511709 12-Mar-2016 02:02
Send private message

Btw what do the Apache logs currently say for this event/sequence?



Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 1512079 12-Mar-2016 17:09
Send private message

gzt: Btw what do the Apache logs currently say for this event/sequence?

 

There is nothing in the Apache logs at all as it appears to be the browser not Apache. It serves to Firefox perfectly and I can see that in the logs.

 

 





Twitter: ajobbins




Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 1512083 12-Mar-2016 17:24
Send private message

biggal:

 

 

 

did you add this to your apache2.conf ?

 

SSLEngine on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

 

SSLCertificateKeyFile /etc/apache2/ssl/site/domain.key

 

SSLCertificateFile /etc/apache2/ssl/site/domain.crt

 

SSLCACertificateFile /etc/apache2/ssl/site/bundle.crt

 

SSLHonorCipherOrder on

 

SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"

 

BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

 

 

 

 

My Apache conf largely matches, except I a stricter set of ciphers and protocols:

 

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

 

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

 

 

 

But even if I swap in your config, or if I set the ciphers and config to all, same result. Works in FF but not in IE or Chrome

 

 





Twitter: ajobbins


1526 posts

Uber Geek
+1 received by user: 143

Trusted

  Reply # 1512102 12-Mar-2016 18:19
Send private message

ajobbins:

 

 

 

My Apache conf largely matches, except I a stricter set of ciphers and protocols:

 

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

 

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

 

 

 

But even if I swap in your config, or if I set the ciphers and config to all, same result. Works in FF but not in IE or Chrome

 

 

 

 

thats some really poor config

 

 

Have a read of

 

https://wiki.mozilla.org/Security/Server_Side_TLS

 

 

try using

 

https://mozilla.github.io/server-side-tls/ssl-config-generator/

 

 

and then testing with

 

https://www.ssllabs.com/ssltest/index.html

 

 





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 




Awesome
4794 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 1512110 12-Mar-2016 18:33
Send private message

mentalinc:
ajobbins:

 

 

 

My Apache conf largely matches, except I a stricter set of ciphers and protocols:

 

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

 

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

 

 

 

But even if I swap in your config, or if I set the ciphers and config to all, same result. Works in FF but not in IE or Chrome

 

 

 

thats some really poor config Have a read of https://wiki.mozilla.org/Security/Server_Side_TLS try using https://mozilla.github.io/server-side-tls/ssl-config-generator/ and then testing with https://www.ssllabs.com/ssltest/index.html

 

How so? That's that config Apache recommends by 2016 for strong encryption. With these settings I am getting an A rating from SSL labs.

 

 

 

I installed the client auth cert on my phone and all works in Chrome on Android fine. There is something Windows doesn't like about the cert but I don't know where to look for more info.

 

 





Twitter: ajobbins


241 posts

Master Geek
+1 received by user: 38


  Reply # 1512171 13-Mar-2016 01:32
Send private message

ajobbins:

 

 

 

My Apache conf largely matches, except I a stricter set of ciphers and protocols:

 

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

 

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

 

 

 

But even if I swap in your config, or if I set the ciphers and config to all, same result. Works in FF but not in IE or Chrome

 

 

 

 

pm me you site url and ill have a look





 

 

 


13921 posts

Uber Geek
+1 received by user: 2471

Trusted
Subscriber

  Reply # 1512173 13-Mar-2016 07:15
Send private message

Only offering TLS1.2 restricts the clients that will work. Add at least TLS1.1, at least as a test, and add TLS1.0 temporarily to see if it starts workign.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


1526 posts

Uber Geek
+1 received by user: 143

Trusted

  Reply # 1512179 13-Mar-2016 08:18
Send private message

timmmay:

Only offering TLS1.2 restricts the clients that will work. Add at least TLS1.1, at least as a test, and add TLS1.0 temporarily to see if it starts workign.

 

 

Chrome isn't going to be impacted by only having TLS1.2.. unless they have a super old version!

 





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


13921 posts

Uber Geek
+1 received by user: 2471

Trusted
Subscriber

  Reply # 1512180 13-Mar-2016 08:21
Send private message

Probably not, but it will give more information. I know my servers were generally more compatible and worked with more browsers when I added TLS 1.1 and 1.0 than when I was 1.2 only.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.