Apache httpd server OCSP responder issue with test PIV cards
745 views
Skip to first unread message
jeff.baranski
Mar 12, 2018, 10:55:46 AM3/12/18
to piv-test-cards
Hi,
I'm using the test PIV cards for client authentication with apache httpd server and everything so far has been working fine except the OCSP responder.
Here is what I tested:
1. Client authentication with apache httpd server (works)
2. Client authentication + CRL revocation checking with apache httpd server (works)
3. Manually test the OCSP responder with a single client certificate via OpenSSL cmd line (works); example: openssl ocsp -CAfile cac.pem -url http://seclab7.ncsl.nist.gov -resp_text -issuer RSA2048IssuingCACertificate.pem -cert card7.pem -no_nonce
4. Client authentication + OCSP revocation checking with apache httpd server (does NOT work)
At point 4 here is my apache settings:
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile "${SRVROOT}/conf/ssl/cac.pem"
SSLOCSPEnable on
SSLOCSPDefaultResponder http://seclab7.ncsl.nist.gov
SSLOCSPUseRequestNonce off # on or off this makes no difference but the OCSP responder does NOT return a nonce...
Reading the mod_ssl docs it says this about SSLOCSPEnable:
This option enables OCSP validation of the client certificate chain. If this option is enabled, certificates in the client's certificate chain will be validated against an OCSP responder after normal verification (including CRL checks) have taken place.
This part is what I think is causing an issue: "certificates in the client's certificate chain will be validated against an OCSP responder" -- I read this as the entire chain is validated, not just the client certificate ( the intermediate certificate is also validated against an OCSP responder but none is setup for the PIV test cards).
Did anyone ever get OCSP + test PIV cards working with Apache httpd server? Did I miss something?
Here are the Apache logs:
[Mon Mar 12 10:40:18.580646 2018] [ssl:debug] [pid 852:tid 1192] ssl_engine_kernel.c(1576): [client 10.0.75.1:55755] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
[Mon Mar 12 10:40:18.581151 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(96): [client 10.0.75.1:55755] AH01973: connecting to OCSP responder 'seclab7.ncsl.nist.gov'
[Mon Mar 12 10:40:18.604466 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(124): [client 10.0.75.1:55755] AH01975: sending request to OCSP responder
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Type: application/ocsp-response
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Transfer-Encoding: Binary
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Length: 5
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Date: Mar 12 14:40:06 2018 GMT
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Expires: Mar 12 15:40:06 2018 GMT
[Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(282): [client 10.0.75.1:55755] AH01987: OCSP response: got 5 bytes, 5 total
[Mon Mar 12 10:40:18.627311 2018] [ssl:error] [pid 852:tid 1192] AH01922: OCSP response not successful: 0
[Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
[Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02008: SSL library error 1 in handshake (server localhost:443)
[Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Douglas E Engert
Mar 12, 2018, 12:06:06 PM3/12/18
to piv-tes...@list.nist.gov
On 3/12/2018 9:55 AM, jeff.baranski wrote:
> Hi,
>
> I'm using the test PIV cards for client authentication with apache httpd server and everything so far has been working fine except the OCSP responder.
>
> Here is what I tested:
> 2. Client authentication + CRL revocation checking with apache httpd server *(works)*
> 3. Manually test the OCSP responder with a single client certificate via OpenSSL cmd line *(works)*; example: openssl ocsp -CAfile cac.pem -url http://seclab7.ncsl.nist.gov -resp_text -issuer
> RSA2048IssuingCACertificate.pem -cert card7.pem -no_nonce
> 4. Client authentication + OCSP revocation checking with apache httpd server *(does NOT work)*
I have not tried this, but the intermediate certificate would be from
CACertsIssuedToRSA2048CA.p7c
It looks like it does not have a
OCSP - URI:http://seclab7.ncsl.nist.gov
which the client certificates have. Apache may be expecting this.
You could try SSLCACertificatePath instead of SLCACertificateFile
and add both the intermediate CA and CA certificates to the directory
and run c_rehash on the directory.
This might be enough to get the test cards working.
openssl x509 -noout -text -in CACertsIssuedToRSA2048CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Test Certificates 2010, OU=Test CA, CN=Test Trust Anchor for Test PIV Cards
Validity
Not Before: Oct 1 08:30:00 2010 GMT
Not After : Oct 1 08:30:00 2030 GMT
Subject: C=US, O=Test Certificates 2010, OU=Test CA, CN=Test RSA 2048-bit CA for Test PIV Cards
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:53:74:6c:c1:7b:d8:44:47:78:a6:4f:a0:2f:
8e:31:66:f8:d0:65:37:a8:47:36:36:80:18:17:dc:
4e:c9:37:cb:7f:21:4d:b7:65:e4:4c:3d:eb:3d:35:
13:75:a7:01:74:26:c1:70:f9:3d:db:a7:59:91:b5:
fe:a1:89:bc:07:ac:d3:a2:33:9f:63:cc:9c:5c:97:
81:ac:cf:8e:23:03:5b:e8:af:40:fc:b3:e8:67:f3:
cb:1d:27:d5:1d:1d:8e:9c:d2:df:65:16:95:d4:f4:
02:f3:b2:92:d3:c0:b7:3f:71:2b:67:8e:90:08:59:
65:30:f2:07:bb:14:5c:4e:50:0c:0b:28:25:9f:5e:
ec:a3:e7:4c:7d:8e:8d:11:a6:a0:be:97:fc:3c:a2:
e7:0f:da:8c:34:d5:92:46:52:37:c2:05:41:31:fc:
20:00:06:ee:3d:c4:44:fa:45:47:57:54:73:bc:ce:
bd:00:c3:32:e6:55:c7:86:f6:66:95:65:c0:3d:1c:
12:95:71:98:c0:3c:47:13:a8:c5:ae:ef:c5:62:0b:
96:94:68:17:7f:f4:ba:bb:6e:55:32:03:50:e8:59:
ca:2f:05:93:49:48:db:81:42:cd:b8:30:89:a3:71:
fb:33:9d:63:f8:89:57:51:f5:3e:1e:1b:3d:ac:2b:
03:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:8E:DF:5B:E3:EA:5B:6A:92:FE:74:AF:37:4C:91:DD:EC:29:80:B0:55
X509v3 Subject Key Identifier:
8F:BE:8E:48:44:B4:DF:FA:B2:90:91:74:CD:03:57:C7:FF:E8:BD:0C
X509v3 CRL Distribution Points:
Full Name:
URI:http://smime2.nist.gov/PIVTest/TrustAnchor.crl
URI:ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?certificateRevocationList;binary
Authority Information Access:
CA Issuers - URI:http://smime2.nist.gov/PIVTest/CACertsIssuedToTrustAnchor.p7c
CA Issuers - URI:ldap://smime2.nist.gov/cn=Test%20Trust%20Anchor%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary,crossCertificatePair;binary
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.3.2.1.3.7
Policy: 2.16.840.1.101.3.2.1.3.8
Policy: 2.16.840.1.101.3.2.1.3.13
Policy: 2.16.840.1.101.3.2.1.3.17
Subject Information Access:
CA Repository - URI:http://smime2.nist.gov/PIVTest/CACertsIssuedByRSA2048CA.p7c
CA Repository - URI:ldap://smime2.nist.gov/cn=Test%20RSA%202048-bit%20CA%20for%20Test%20PIV%20Cards,ou=Test%20CA,o=Test%20Certificates%202010,c=US?cACertificate;binary
Signature Algorithm: sha256WithRSAEncryption
2b:bd:5d:2e:47:53:95:e0:0d:dc:aa:2e:5e:fb:44:fb:da:63:
9e:9c:3e:e3:33:b0:4a:0a:67:bb:61:cd:3d:ce:4f:6c:4d:bf:
50:81:99:09:09:0f:67:1c:68:b5:72:a2:fb:44:d3:59:81:ca:
72:2c:03:f9:4a:3f:b8:81:ed:0e:c2:ee:7e:3f:8e:74:f7:2a:
5e:a4:11:9f:c0:6c:25:5c:07:ad:c3:88:1d:30:d0:a3:95:48:
37:11:40:ca:91:b4:8c:cd:2a:96:41:88:6d:92:06:f0:0a:89:
4b:81:31:85:bc:82:22:66:51:d6:d2:eb:6e:e4:1f:3c:af:47:
c1:75:f1:3b:b6:b7:a2:aa:4c:5f:ac:f0:0e:6b:7b:90:ce:a9:
1a:06:61:6e:02:88:21:8e:1f:24:eb:7f:98:c5:57:34:b4:d1:
97:5c:13:00:36:b5:af:f9:a2:b0:6a:d7:f7:f0:35:fd:27:bb:
38:b3:8d:95:cf:30:63:50:88:7d:70:c2:d5:d7:e3:47:00:d7:
8c:cd:ef:db:70:04:04:45:34:0a:39:62:b2:1b:5a:6f:f0:2a:
53:2c:a2:99:b7:48:79:a4:33:8e:80:be:24:9a:99:95:24:ec:
e9:b4:1b:e0:6f:e9:a3:0d:a7:38:23:db:35:14:3c:d4:8a:0a:
bf:ac:7e:a5
>
> At point 4 here is my apache settings:
> /SSLVerifyDepth 10/
> /SSLCACertificateFile "${SRVROOT}/conf/ssl/cac.pem"/
> /SSLOCSPEnable on/
> /SSLOCSPDefaultResponder http://seclab7.ncsl.nist.gov/
> /SSLOCSPUseRequestNonce off # on or off this makes no difference but the OCSP responder does NOT return a nonce... /
>
> Reading the mod_ssl docs it says this about SSLOCSPEnable:
> /This option enables OCSP validation of the client certificate chain. If this option is enabled, certificates in the client's certificate chain will be validated against an OCSP responder after normal
> Reading the mod_ssl docs it says this about SSLOCSPEnable:
> verification (including CRL checks) have taken place./
>
> This part is what I think is causing an issue:*/"certificates in the client's certificate chain will be validated against an OCSP responder"/ *-- I read this as the entire chain is validated, not just
> the client certificate ( the intermediate certificate is also validated against an OCSP responder but none is setup for the PIV test cards).
>
> Did anyone ever get OCSP + test PIV cards working with Apache httpd server? Did I miss something?
>
>
> *Here are the Apache logs:*
>
> Did anyone ever get OCSP + test PIV cards working with Apache httpd server? Did I miss something?
>
>
>
> [Mon Mar 12 10:40:18.580646 2018] [ssl:debug] [pid 852:tid 1192] ssl_engine_kernel.c(1576): [client 10.0.75.1:55755] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject:
> CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore:
> Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.581151 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(96): [client 10.0.75.1:55755] AH01973: connecting to OCSP responder 'seclab7.ncsl.nist.gov'
> [Mon Mar 12 10:40:18.604466 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(124): [client 10.0.75.1:55755] AH01975: sending request to OCSP responder
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Type: application/ocsp-response
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Transfer-Encoding: Binary
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Length: 5
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Date: Mar 12 14:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Expires: Mar 12 15:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(282): [client 10.0.75.1:55755] AH01987: OCSP response: got 5 bytes, 5 total
> [Mon Mar 12 10:40:18.627311 2018] [ssl:error] [pid 852:tid 1192] AH01922: OCSP response not successful: 0
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Test RSA 2048-bit
> CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010
> GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02008: SSL library error 1 in handshake (server localhost:443)
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
>
>
>
> --
> [Mon Mar 12 10:40:18.580646 2018] [ssl:debug] [pid 852:tid 1192] ssl_engine_kernel.c(1576): [client 10.0.75.1:55755] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject:
> CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore:
> Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.581151 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(96): [client 10.0.75.1:55755] AH01973: connecting to OCSP responder 'seclab7.ncsl.nist.gov'
> [Mon Mar 12 10:40:18.604466 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(124): [client 10.0.75.1:55755] AH01975: sending request to OCSP responder
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Type: application/ocsp-response
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Transfer-Encoding: Binary
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Length: 5
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Date: Mar 12 14:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Expires: Mar 12 15:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(282): [client 10.0.75.1:55755] AH01987: OCSP response: got 5 bytes, 5 total
> [Mon Mar 12 10:40:18.627311 2018] [ssl:error] [pid 852:tid 1192] AH01922: OCSP response not successful: 0
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Test RSA 2048-bit
> CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010
> GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02008: SSL library error 1 in handshake (server localhost:443)
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
>
>
>
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> ---
> You received this message because you are subscribed to the Google Groups "piv-test-cards" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-card...@list.nist.gov>.
--
Douglas E. Engert <DEEn...@gmail.com>
Douglas E Engert
Mar 12, 2018, 12:21:38 PM3/12/18
to piv-tes...@list.nist.gov
Google for: AH02276: Certificate Verification: Error (50)
The responses are all a few years old, this might be helpful:
https://bugzilla.redhat.com/show_bug.cgi?id=1037735
On 3/12/2018 9:55 AM, jeff.baranski wrote:
> 2. Client authentication + CRL revocation checking with apache httpd server *(works)*
> 3. Manually test the OCSP responder with a single client certificate via OpenSSL cmd line *(works)*; example: openssl ocsp -CAfile cac.pem -url http://seclab7.ncsl.nist.gov -resp_text -issuer
> RSA2048IssuingCACertificate.pem -cert card7.pem -no_nonce
> 4. Client authentication + OCSP revocation checking with apache httpd server *(does NOT work)*
> verification (including CRL checks) have taken place./
>
> This part is what I think is causing an issue:*/"certificates in the client's certificate chain will be validated against an OCSP responder"/ *-- I read this as the entire chain is validated, not just
The responses are all a few years old, this might be helpful:
https://bugzilla.redhat.com/show_bug.cgi?id=1037735
On 3/12/2018 9:55 AM, jeff.baranski wrote:
> Hi,
>
> I'm using the test PIV cards for client authentication with apache httpd server and everything so far has been working fine except the OCSP responder.
>
> Here is what I tested:
> 1. Client authentication with apache httpd server *(works)*
>
> I'm using the test PIV cards for client authentication with apache httpd server and everything so far has been working fine except the OCSP responder.
>
> Here is what I tested:
> 2. Client authentication + CRL revocation checking with apache httpd server *(works)*
> 3. Manually test the OCSP responder with a single client certificate via OpenSSL cmd line *(works)*; example: openssl ocsp -CAfile cac.pem -url http://seclab7.ncsl.nist.gov -resp_text -issuer
> RSA2048IssuingCACertificate.pem -cert card7.pem -no_nonce
> 4. Client authentication + OCSP revocation checking with apache httpd server *(does NOT work)*
>
> At point 4 here is my apache settings:
> At point 4 here is my apache settings:
> /SSLVerifyClient require/
> /SSLVerifyDepth 10/
> /SSLCACertificateFile "${SRVROOT}/conf/ssl/cac.pem"/
> /SSLOCSPEnable on/
> /SSLOCSPDefaultResponder http://seclab7.ncsl.nist.gov/
> /SSLOCSPUseRequestNonce off # on or off this makes no difference but the OCSP responder does NOT return a nonce... /
> /SSLVerifyDepth 10/
> /SSLCACertificateFile "${SRVROOT}/conf/ssl/cac.pem"/
> /SSLOCSPEnable on/
> /SSLOCSPDefaultResponder http://seclab7.ncsl.nist.gov/
>
> Reading the mod_ssl docs it says this about SSLOCSPEnable:
> /This option enables OCSP validation of the client certificate chain. If this option is enabled, certificates in the client's certificate chain will be validated against an OCSP responder after normal
> Reading the mod_ssl docs it says this about SSLOCSPEnable:
> verification (including CRL checks) have taken place./
>
> This part is what I think is causing an issue:*/"certificates in the client's certificate chain will be validated against an OCSP responder"/ *-- I read this as the entire chain is validated, not just
> the client certificate ( the intermediate certificate is also validated against an OCSP responder but none is setup for the PIV test cards).
>
> Did anyone ever get OCSP + test PIV cards working with Apache httpd server? Did I miss something?
>
>
>
> Did anyone ever get OCSP + test PIV cards working with Apache httpd server? Did I miss something?
>
>
> *Here are the Apache logs:*
>
>
> [Mon Mar 12 10:40:18.580646 2018] [ssl:debug] [pid 852:tid 1192] ssl_engine_kernel.c(1576): [client 10.0.75.1:55755] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject:
> CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore:
> Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.581151 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(96): [client 10.0.75.1:55755] AH01973: connecting to OCSP responder 'seclab7.ncsl.nist.gov'
> [Mon Mar 12 10:40:18.604466 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(124): [client 10.0.75.1:55755] AH01975: sending request to OCSP responder
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Type: application/ocsp-response
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Transfer-Encoding: Binary
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Length: 5
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Date: Mar 12 14:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Expires: Mar 12 15:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(282): [client 10.0.75.1:55755] AH01987: OCSP response: got 5 bytes, 5 total
> [Mon Mar 12 10:40:18.627311 2018] [ssl:error] [pid 852:tid 1192] AH01922: OCSP response not successful: 0
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Test RSA 2048-bit
> CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010
> GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02008: SSL library error 1 in handshake (server localhost:443)
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
>
>
>
> CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore:
> Oct 1 08:30:00 2010 GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.581151 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(96): [client 10.0.75.1:55755] AH01973: connecting to OCSP responder 'seclab7.ncsl.nist.gov'
> [Mon Mar 12 10:40:18.604466 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(124): [client 10.0.75.1:55755] AH01975: sending request to OCSP responder
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Type: application/ocsp-response
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Transfer-Encoding: Binary
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Content-Length: 5
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Date: Mar 12 14:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(234): [client 10.0.75.1:55755] AH01981: OCSP response header: Expires: Mar 12 15:40:06 2018 GMT
> [Mon Mar 12 10:40:18.627311 2018] [ssl:debug] [pid 852:tid 1192] ssl_util_ocsp.c(282): [client 10.0.75.1:55755] AH01987: OCSP response: got 5 bytes, 5 total
> [Mon Mar 12 10:40:18.627311 2018] [ssl:error] [pid 852:tid 1192] AH01922: OCSP response not successful: 0
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Test RSA 2048-bit
> CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / issuer: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US / serial: 02 / notbefore: Oct 1 08:30:00 2010
> GMT / notafter: Oct 1 08:30:00 2030 GMT]
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] [client 10.0.75.1:55755] AH02008: SSL library error 1 in handshake (server localhost:443)
> [Mon Mar 12 10:40:18.627311 2018] [ssl:info] [pid 852:tid 1192] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
>
>
>
Jeff Baranski
Mar 12, 2018, 1:05:13 PM3/12/18
to Douglas E Engert, piv-tes...@list.nist.gov
SSLCACertificateFile
contains all 6 (the Root CA trust anchor + all 5 PIV intermediates) in cac.pem in my local apache httpd server test. Wouldn't using SSLCACertificatePath be
equivalent to pointing to a dir with all the individual certs?
For
the link you provided and the Googling the error I have done before reaching out to the email list, I wanted to see if anyone has got this setup and working. There is definitive end or answer to this that I can find...
From: Douglas E Engert <deen...@gmail.com>
Sent: Monday, March 12, 2018 12:06 PM
To: piv-tes...@list.nist.gov
Subject: Re: [piv-test-cards] Apache httpd server OCSP responder issue with test PIV cards
Sent: Monday, March 12, 2018 12:06 PM
To: piv-tes...@list.nist.gov
Subject: Re: [piv-test-cards] Apache httpd server OCSP responder issue with test PIV cards
To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov.
Jeff Baranski
Mar 12, 2018, 2:43:47 PM3/12/18
to Douglas E Engert, piv-tes...@list.nist.gov
Hi,
Just to close the loop somewhat. I am acting as my own Certificate Authority, and I ran two of my own tests to just confirm...
Root CA
Root CA > OCSP responder signing certificate
Root CA > Intermediate CA
Intermediate CA > OCSP responder signing certificate
Intermediate CA > client1
Run two OCSP responders, one for certificates signed by the Root CA, a second OCSP responder for certificates signed by the Intermediate CA.
In Apache, client authentication with OCSP enabled works good when all of the above is setup.
In Apache, client authentication with OCSP enabled will NOT work when the Root CA OCSP responder is not enabled or that step is skipped (which is how the Test PIV cards are setup).
Ideally I would like to configure mod_ssl to control whether it verifies the entire certificate chain vs just the client certificate.
Not sure if you will ever add OCSP information to your Intermediate CAs in the future, but please keep this in mind if it comes up again because as of right now we can't use OCSP in Apache with the PIV test cards (unless I'm missing something which I hope someone
would point out).
Thanks for your time.
Thanks,
Jeff
From: Jeff Baranski <jeff.b...@outlook.com>
Sent: Monday, March 12, 2018 1:05 PM
To: Douglas E Engert; piv-tes...@list.nist.gov
Sent: Monday, March 12, 2018 1:05 PM
To: Douglas E Engert; piv-tes...@list.nist.gov
David A. Cooper
Mar 12, 2018, 3:14:32 PM3/12/18
to Jeff Baranski, piv-tes...@list.nist.gov
Hi Jeff,
To the best of my knowledge the Common Policy Root CA does not currently provide an OCSP responder for the certificates that it issues. I don't know about other CAs in the Federal PKI, but at the moment when validating PIV certificates one can expect to encounter at least one intermediate certificate for which OCSP information is not available. So, I think it would be best to not add OCSP information for intermediate certificates in the test PKI, since the current test PKI more accurately reflects what one can expect to encounter in the real Federal PKI.
It would be nice if one could configure Apache to use OCSP when available and CRLs otherwise, but that doesn't seem to be an option. At the moment, there doesn't seem to be a reason to use OCSP for PIV certificates. According to https://httpd.apache.org/docs/2.4/mod/mod_ssl.html:
I would also suggest not setting the SSLOCSPDefaultResponder directive:
I believe that SSLOCSPDefaultResponder is intended to be used in conjunction with SSLOCSPResponderCertificateFile to point to a locally trusted OCSP responder. You (as the relying party) could set up an OCSP responder that acts as a proxy for obtaining certificate status information. You could configure Apache to send all OCSP queries to this local responder, and it would obtain the status information from the CA (via OCSP, CRLs, etc.) and then provide the information to you in the form of an OCSP response.
Since you are not operating such an OCSP responder, it seems that SSLOCSPDefaultResponder should simply not be set.
David
To the best of my knowledge the Common Policy Root CA does not currently provide an OCSP responder for the certificates that it issues. I don't know about other CAs in the Federal PKI, but at the moment when validating PIV certificates one can expect to encounter at least one intermediate certificate for which OCSP information is not available. So, I think it would be best to not add OCSP information for intermediate certificates in the test PKI, since the current test PKI more accurately reflects what one can expect to encounter in the real Federal PKI.
It would be nice if one could configure Apache to use OCSP when available and CRLs otherwise, but that doesn't seem to be an option. At the moment, there doesn't seem to be a reason to use OCSP for PIV certificates. According to https://httpd.apache.org/docs/2.4/mod/mod_ssl.html:
This [SSLOCSPEnable] option enables OCSP validation of the client certificate chain. If this option is enabled, certificates in the client's certificate chain will be validated against an OCSP responder after normal verification (including CRL checks) have taken place.I read this to mean that if SSLOCSPEnable, then OCSP checking is performed in addition to CRL checking. This might be useful if the OCSP responder provides more up-to-date information than CRLs do, but otherwise it is just redundant.
I would also suggest not setting the SSLOCSPDefaultResponder directive:
This [SSLOCSPDefaultResponder] option sets the default OCSP responder to use. If SSLOCSPOverrideResponder is not enabled, the URI given will be used only if no responder URI is specified in the certificate being verified.In the case of the test PKI, there is a single OCSP responder, but in a more realistic scenario there would be a different responder for each CA. Besides, whenever http://seclab7.ncsl.nist.gov can provide an OCSP response for a certificate, there is a URL in the certificate pointing to http://seclab7.ncsl.nist.gov, so setting SSLOCSPDefaultResponder doesn't help.
I believe that SSLOCSPDefaultResponder is intended to be used in conjunction with SSLOCSPResponderCertificateFile to point to a locally trusted OCSP responder. You (as the relying party) could set up an OCSP responder that acts as a proxy for obtaining certificate status information. You could configure Apache to send all OCSP queries to this local responder, and it would obtain the status information from the CA (via OCSP, CRLs, etc.) and then provide the information to you in the form of an OCSP response.
Since you are not operating such an OCSP responder, it seems that SSLOCSPDefaultResponder should simply not be set.
David
Douglas E Engert
Mar 12, 2018, 3:30:54 PM3/12/18
to Jeff Baranski, piv-tes...@list.nist.gov
On 3/12/2018 12:05 PM, Jeff Baranski wrote:
> SSLCACertificateFile contains all 6 (the Root CA trust anchor + all 5 PIV intermediates) in cac.pem in my local apache httpd server test. Wouldn't using SSLCACertificatePath be equivalent to pointing
> to a dir with all the individual certs?
>
> For the link you provided and the Googling the error I have done before reaching out to the email list, I wanted to see if anyone has got this setup and working. There is definitive end or answer to
> this that I can find...
It looks like the OSCP fails on the OSCP server for some reason.
looking at the Apache-2.4.29 source code, the ACH01922 message comes from
./modules/ssl/ssl_engine_ocsp.c
161 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01922)
Just above that is:
140 ruri = determine_responder_uri(sc, cert, c, pool);
141 if (!ruri) {
142 return V_OCSP_CERTSTATUS_UNKNOWN;
143 }
You have to specify SSLOCSPDefaultResponder.
The problem is determine_responder_uri returns NULL if no responder can be found.
This dose not tell you why. Either the cert does not have a URL or there is no
SSLOCSPDefaultResponder or either one could not be parsed.
If you are willing to says certs that don't have OSCP URL, don't need to
be OSCP verified then the following could be done.
It also looks like the following should user r and not rc:
162 "OCSP response not successful: %d", rc);
should be
162 "OCSP response not successful: %d", r);
So if you are willing to hack the code to get the PIV test cards to work,
You could do something around 140, that says if
if (!sc->server->ocsp_responder)
return rc; /* V_OCSP_CERTSTATUS_GOOD */
and make sure SSLOCSPDefaultResponder is not set.
A better hack could surely be made then the above.
But it looks in the source code either all non self-signed certs or no certs will be verified.
You don't have a choice like if the cert is trusted, and does not have a
OSCP URL accept it as verified, some hack here to see of the cert is in the pool.
269 else if (X509_check_issued(cert,cert) == X509_V_OK) {
270 /* don't do OCSP checking for valid self-issued certs */
271 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
272 "Skipping OCSP check for valid self-issued cert");
273 X509_STORE_CTX_set_error(ctx, X509_V_OK);
274 return 1;
275 }
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Douglas E Engert <deen...@gmail.com>
> *Sent:* Monday, March 12, 2018 12:06 PM
> *To:* piv-tes...@list.nist.gov
> *Subject:* Re: [piv-test-cards] Apache httpd server OCSP responder issue with test PIV cards
Jeff Baranski
Mar 12, 2018, 3:58:28 PM3/12/18
to piv-tes...@list.nist.gov
Sounds good, thanks David (Douglas) for your inputs on this.
Thanks,
Jeff
From: David A. Cooper <david....@nist.gov>
Sent: Monday, March 12, 2018 3:14 PM
To: Jeff Baranski; piv-tes...@list.nist.gov
Sent: Monday, March 12, 2018 3:14 PM
To: Jeff Baranski; piv-tes...@list.nist.gov
David A. Cooper
Mar 12, 2018, 4:01:59 PM3/12/18
to Douglas E Engert, Jeff Baranski, piv-tes...@list.nist.gov
Hi Doug,
As I noted in my previous message, I do not believe that SSLOCSPDefaultResponder should be set.
This is what I believe is happening according to the Apache log file that Jeff sent:
As I noted in my previous message, I do not believe that SSLOCSPDefaultResponder should be set.
This is what I believe is happening according to the Apache log file that Jeff sent:
- Apache is trying to use OCSP to check the status of every certificate in the path.
- When checking the intermediate certificate, since the certificate does not contain an OCSP URL, Apache is using the OCSP responder specified in SSLOCSPDefaultResponder, http://seclab7.ncsl.nist.gov.
- Since http://seclab7.ncsl.nist.gov does not have status information for the intermediate certificate, it responds with an "unauthorized" error message (in accordance with Section 2.2.3 of RFC 5019). This is the response the log is referring to when it says "got 5 bytes."
- Since OCSP checking for the intermediate certificate failed,
path validation failed.
Jeff Baranski
Mar 12, 2018, 4:31:40 PM3/12/18
to David A. Cooper, Douglas E Engert, piv-tes...@list.nist.gov
Hi David,
That's also what I saw. Just want to add if I remove the default responder setting then apache complains the intermediate ca has no OCSP uri but OCSP is enabled (so still it won't work). I agree setting the default is redundant
in this case.
I wish mod_ssl was more flexible, since using openssl ocsp cmd line I can confirm the PIV client cert status without it needing an additional ocsp check on the intermediate (as noted in example on first mail).
Thanks again for your input.
Thanks,
Jeff
Thanks,
Jeff
-------- Original message --------
From: "David A. Cooper" <david....@nist.gov>
Reply all
Reply to author
Forward
0 new messages