更新 16.04 LTS - 18.04 LTS - tls_process_client_certificate:证书验证失败 - 使用 PSS 签名的中间件时

更新 16.04 LTS - 18.04 LTS - tls_process_client_certificate:证书验证失败 - 使用 PSS 签名的中间件时

我们在一个位置使用 Clientauth 配置,几个月来都没有出现问题

Ubuntu 16.04.5 LTS Apache 2.4.18-2ubuntu3.9 openssl 1.0.2g-1ubuntu4.13

现在我们升级为使用 HTTP2

Ubuntu 18.04.1 LTS Apache 2.4.29-1ubuntu4.3 Openssl 1.1.0g-2ubuntu4.1

Apache 会议:

 SSLEngine on
   SSLVerifyDepth 2
   SSLProxyEngine on
   SSLProtocol -All +TLSv1.2 +TLSv1.1

   SSLCipherSuite HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!EXP:!DES:!RC4:!3DES:!MD5:!PSK:!MEDIUM:!LOW:!SRP:!DSS

   SSLCertificateFile /etc/apache2/ssl/blablub.pem
   SSLCertificateKeyFile /etc/apache2/ssl/blablub.key
   SSLCertificateChainFile /etc/apache2/ssl/blablub.ca_certificates.pem
   SSLCACertificateFile /etc/apache2/ssl/ProductiveCAClientAuth.pem 

....other stuff without ClientAuth...

   <Location /test>
       SSLVerifyClient require
       SSLVerifyDepth 2

       ProxyPass https://server-1/test
       ProxyPassReverse https://server-1/testg

   </Location>

特殊性:

客户端证书由中间 CA 颁发,该 CA 本身经过 RSA-PSS 签名。根 CA 和实际客户端证书通常采用 RSA-SHA256 签名。不要问为什么,过去就​​是这样构建的,到目前为止一直有效

错误:

[Tue Sep 25 07:18:27.723798 2018] [ssl:debug] [pid 49219:tid 140033499584256] ssl_engine_kernel.c(757): [client 89.187.203.114:61120] AH02255: Changed client verification type will force renegotiation
[Tue Sep 25 07:18:27.723803 2018] [ssl:info] [pid 49219:tid 140033499584256] [client 89.187.203.114:61120] AH02221: Requesting connection re-negotiation
[Tue Sep 25 07:18:27.723827 2018] [ssl:debug] [pid 49219:tid 140033499584256] ssl_engine_kernel.c(987): [client 89.187.203.114:61120] AH02260: Performing full renegotiation: complete handshake protocol (client does support secu
re renegotiation)
[Tue Sep 25 07:18:27.723867 2018] [ssl:info] [pid 49219:tid 140033499584256] [client 89.187.203.114:61120] AH02226: Awaiting re-negotiation handshake
[Tue Sep 25 07:18:33.176966 2018] [ssl:error] [pid 49219:tid 140033499584256] [client 89.187.203.114:61120] AH02261: Re-negotiation handshake failed
[Tue Sep 25 07:18:33.176987 2018] [ssl:error] [pid 49219:tid 140033499584256] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
[Tue Sep 25 07:18:33.177005 2018] [core:trace3] [pid 49219:tid 140033499584256] request.c(119): [client 89.187.203.114:61120] auth phase 'check access (with Satisfy All)' gave status 403: /test/
[Tue Sep 25 07:18:33.177032 2018] [headers:debug] [pid 49219:tid 140033499584256] mod_headers.c(900): AH01503: headers: ap_headers_error_filter()
[Tue Sep 25 07:18:33.177057 2018] [http:trace3] [pid 49219:tid 140033499584256] http_filters.c(1128): [client 89.187.203.114:61120] Response sent with status 403, headers:
[Tue Sep 25 07:18:33.177062 2018] [http:trace5] [pid 49219:tid 140033499584256] http_filters.c(1135): [client 89.187.203.114:61120]   Date: Tue, 25 Sep 2018 05:18:27 GMT
[Tue Sep 25 07:18:33.177066 2018] [http:trace5] [pid 49219:tid 140033499584256] http_filters.c(1138): [client 89.187.203.114:61120]   Server: Apache/2.4.34 (Ubuntu)
[Tue Sep 25 07:18:33.177071 2018] [http:trace4] [pid 49219:tid 140033499584256] http_filters.c(957): [client 89.187.203.114:61120]   X-Frame-Options: SAMEORIGIN
[Tue Sep 25 07:18:33.177075 2018] [http:trace4] [pid 49219:tid 140033499584256] http_filters.c(957): [client 89.187.203.114:61120]   Content-Length: 320
[Tue Sep 25 07:18:33.177080 2018] [http:trace4] [pid 49219:tid 140033499584256] http_filters.c(957): [client 89.187.203.114:61120]   Connection: close
[Tue Sep 25 07:18:33.177084 2018] [http:trace4] [pid 49219:tid 140033499584256] http_filters.c(957): [client 89.187.203.114:61120]   Content-Type: text/html; charset=iso-8859-1

我们再次使用由 SHA256 中间 CA 颁发的客户端证书对其进行了测试。此操作没有问题。我怀疑,通过更新 Apache 或 openssl,PSS 签名的颁发者现在出现了问题。有人知道您可以做些什么来让它再次运行吗?

答案1

更新到 OpenSSL 1.1.1 后主要问题得到解决 虽然问题已经解决,ClientAuth 又可以工作了,但是速度非常慢。正常登录现在需要 60-120 秒。更新到 Apache 2.4.35 也无济于事。对 Apache 的 SSLCache 选项进行的各种测试也无济于事。

我认为,由于 Apache 官方不支持 openSSL 1.1.1 和 TLS 1.3,因此等待其正式支持才会有帮助。

答案2

现在,您可以通过 Ondrej Sury PPA 将 OpenSSL 1.1.1 用于 apache2(或 nginx),方法是添加他的 apache2(或 nginx)存储库,然后删除默认的 apache2(如果使用后者,则将 apache2 更改为 nginx)并重新安装,如下所示:

apache2 and openssl 1.1.1:
add-apt-repository ppa:ondrej/apache2
apt-get update
apt-get -y remove apache2
apt-get -y install apache2 openssl

相关内容