因此,我尝试在虚拟主机配置上设置 Apache 2.4 相互身份验证。
鉴于以下环境,我缺少什么?
服务器是:Slackware 14.2 x64,Apache 2.4.39,OpenSSL 1.0.2r
客户端是:Windows 8.1 x64,Firefox Quantum 66.0.3(64 位)
到目前为止我已经:
- 生成自签名根证书(CA)。
- 生成服务器密钥对,由CA签名。
- 生成客户端密钥对,由CA签名。
- 从客户端密钥对和 CA 生成客户端 .p12 证书。
- 将 CA 添加到
/usr/local/share/ca-certificates/
并运行# update-ca-certificates -v
- 在 Firefox 中,导入了 下的
Certificate Manager, Authorities
CA。 - 在 Firefox 中,导入 下的 .p12 证书
Certificate Manager, Your Certificates
。 - 配置 Apache 以使用服务器证书。耶,成功了。
为了测试证书,我运行了:
# openssl s_client -connect www.example.com:443 \
-cert ./client.crt \
-key ./client.key \
-CAfile ./CA/ca.crt \
-state -debug
最终结果以输出为准Verify return code: 0 (ok)
,但没有任何客户端证书的迹象。
稍后完整输出。
这一切都导致了一个错误:AH01797: client denied by server configuration
Apache VirtualHost 配置:
<VirtualHost www.example.com:443>
ServerName www.example.com
ServerAdmin [email protected]
DocumentRoot "/home/username/local/www/php-dev"
ErrorLog /home/username/local/www/log/example.com-username.error.log
TransferLog /home/username/local/www/log/example.com-username.access.log
SSLEngine on
#SSLVerifyClient none
SSLCertificateFile "/etc/httpd/certs/www.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/certs/www.example.com.key"
#SSLCACertificatePath "/etc/httpd/certs"
SSLCertificateChainFile "/etc/httpd/certs/ca.crt"
SSLCACertificateFile "/etc/httpd/certs/ca.crt"
<Directory "/home/username/local/www/php-dev">
Options +Indexes +FollowSymLinks +MultiViews -Includes
#RewriteEngine on
#RewriteBase /
AllowOverride None
#AllowOverride AuthConfig
Order allow,deny
Require all granted
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_Email} eq "[email protected]")
# Use this option to match on DNS (This is working)
#Require forward-dns client.example.com
#Require valid-user
</Directory>
</VirtualHost>
OpenSSL 测试输出:
# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54 ....,...(.....MT
( **CUT** )
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
SSL_connect:SSLv2/v3 write client hello A
read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 42 02 00 ....B..
read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40))
0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1 .>..>(b.2.M.....
( **CUT** )
0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01 ........#.......
SSL_connect:SSLv3 read server hello A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 07 23 ....#
read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723))
0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82 ..........0...0.
0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86 .?........0...*.
( **CUT** )
0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36 .eb....TZ.#..5.6
0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9 ..5.T"v.....L...
0720 - 43 2a 58 C*X
depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = [email protected]
verify return:1
depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = [email protected]
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52 ...I...A..5....R
0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a z....o.#.m..;..:
( **CUT** )
0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6 .g.P.O..H.....8.
0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47 l......k?...G
SSL_connect:SSLv3 read server key exchange A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
SSL_connect:SSLv3 read server done A
write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6 ....F...BA.7.S6.
( **CUT** )
0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71 [email protected]
SSL_connect:SSLv3 write client key exchange A
write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74 ....(.wE.OkMl..t
0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d F.......g.~d',@.
0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b .. ........<+
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 ca .....
read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e .......,........
0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f .Y*fF.......x...
( **CUT** )
00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25 ..7Xw.W..> C..%%
00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59 .:.......Y
SSL_connect:SSLv3 read server session ticket A
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28))
0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37 w..i|....Gm..!.7
0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84 ^[email protected]..
0020 - 2b ad dc 68 07 b7 cc 28- +..h...(
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/[email protected]
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/[email protected]
1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/[email protected]
i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx
EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT
( **CUT** )
h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF
7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU=
-----END CERTIFICATE-----
subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/[email protected]
issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/[email protected]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2508 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C
Session-ID-ctx:
Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de .......Y*fF.....
0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18 ..x...=.ck..6su.
( **CUT )
00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e ........7Xw.W..>
00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59 C..%%.:.......Y
Start Time: 1555651633
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 1a .....
read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A))
0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69 w..i|...0[.....i
0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c .^.H..X..|
SSL3 alert read:warning:close notify
closed
write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a ......wE.OkMm..Z
0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30 .=....?....+..0
SSL3 alert write:warning:close notify