Belgium EID and Apache proxy setup

[Vincent Van der Kussen]

Hi all,

I'm trying to setup an Apache based proxy that will use the BEID to provide authentication
to a webapplication. I would also like to catch some data into the http headers to be used
later.

At the moment i get asked to enter my eid pin when i try to access the site but then something
goes wrong.

To me it looks like no certicate is being send to the Apache server. But i'm not sure where the
problem situates.

All pointers/information is welcome.

This is our Apache config

<VirtualHost *:443>
ServerName beid.mydomain.tld

# SSL Options
SSLOCSPEnable on

        <location /eid>
        SSLRequireSSL
        SSLVerifyClient require
        SSLVerifyDepth 6
        SSLOptions +StrictRequire +StdEnvVars +ExportCertData
        #SSLOptions +StdEnvVars
        #SSLCipherSuite +ALL:SSLv3+HIGH:-aNULL
        </location>

SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLEngine on

SSLCertificateKeyFile /etc/pki/tls/private/ourserver.key
SSLCertificateFile /etc/pki/tls/certs/ourserver.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

RequestHeader set Verified      "%{SSL_CLIENT_VERIFY}s"
RequestHeader set DN            "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_USERID "%{SSL_CLIENT_S_DN_serialNumber}s"

</VirtualHost>


This is the error I get :

[Fri Mar 06 09:50:57.328487 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH01964: Connection to child 3 established (server beid.mydomain.tld:443)
[Fri Mar 06 09:50:57.329076 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1913): [client 192.168.9.26:54660] AH02043: SSL virtual host for servername beid.mydomain.tld found
[Fri Mar 06 09:50:57.391701 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1846): [client 192.168.9.26:54660] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Fri Mar 06 09:50:57.440767 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(224): [client 192.168.9.26:54660] AH02034: Initial (No.1) HTTPS request received for child 3 (server beid.mydomain.tld:443)
[Fri Mar 06 09:50:57.440947 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(572): [client 192.168.9.26:54660] AH02255: Changed client verification type will force renegotiation
[Fri Mar 06 09:50:57.440959 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH02221: Requesting connection re-negotiation
[Fri Mar 06 09:50:57.440986 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(772): [client 192.168.9.26:54660] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Fri Mar 06 09:50:57.441136 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH02226: Awaiting re-negotiation handshake
[Fri Mar 06 09:50:57.484109 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1913): [client 192.168.9.26:54660] AH02043: SSL virtual host for servername beid.mydomain.tld found
[Fri Mar 06 09:50:58.051292 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660] AH02275: Certificate Verification, depth 4, CRL checking mode: none [subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 020000B9 / notbefore: May 12 18:46:00 2000 GMT / notafter: May 12 23:59:00 2025 GMT]
[Fri Mar 06 09:50:58.051560 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660] AH02275: Certificate Verification, depth 3, CRL checking mode: none [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.051579 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660] AH01918: no OCSP responder specified in certificate and no default configured
[Fri Mar 06 09:50:58.051607 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.051757 2015] [ssl:error] [pid 29902] [client 192.168.9.26:54660] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Fri Mar 06 09:50:58.052159 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660] AH02275: Certificate Verification, depth 4, CRL checking mode: none [subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 020000B9 / notbefore: May 12 18:46:00 2000 GMT / notafter: May 12 23:59:00 2025 GMT]
[Fri Mar 06 09:50:58.052283 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660] AH02275: Certificate Verification, depth 3, CRL checking mode: none [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.052295 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660] AH01918: no OCSP responder specified in certificate and no default configured
[Fri Mar 06 09:50:58.052319 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.052451 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH02008: SSL library error 1 in handshake (server beid.mydomain.tld:443)
[Fri Mar 06 09:50:58.052487 2015] [ssl:info] [pid 29902] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Mar 06 09:50:58.052494 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660] AH01998: Connection closed to child 3 with abortive shutdown (server beid.mydomain.tld:443)

Regards,
Vincent

[Verhelst Wouter]

Hi Vincent,

It looks to me like what's happening is a failure of the OCSP checks:

[Fri Mar 06 09:50:58.051579 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660] AH01918: no OCSP responder specified in certificate and no default configured

which is strange, because the certificates on the card do actually contain a OCSP URL.

To verify if this fixes the issue, you could try disabling OCSP checks for a moment. If that works, we need to figure out why that part doesn't work.

Regards,

--
Wouter Verhelst
________________________________________
Van: eid...@googlegroups.com [eid...@googlegroups.com] namens Vincent Van der Kussen [vincent.va...@connective.be]
Verzonden: vrijdag 6 maart 2015 9:59
Aan: eid...@googlegroups.com
Onderwerp: Belgium EID and Apache proxy setup

--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.
Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com<mailto:eid-mw+un...@googlegroups.com>.
Als je een bericht in deze groep wilt plaatsen, stuur je een e-mail naar eid...@googlegroups.com<mailto:eid...@googlegroups.com>.
Bezoek deze groep op http://groups.google.com/group/eid-mw.
Ga naar https://groups.google.com/d/optout voor meer opties.

[Vincent Van der Kussen]

Hi Wouter,

thanks for replying but we found the issue.

The problem was that the CA chain on the server was not complete, so we could never retrieve the
clients certificate, hence the error message.

Regards,
Vincent

Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com<mailto:eid-mw+unsubscribe@googlegroups.com>.

[Verhelst Wouter]

Ah, yes, that's crucial :-)

--
Wouter Verhelst
________________________________________
Van: eid...@googlegroups.com [eid...@googlegroups.com] namens Vincent Van der Kussen [vincent.va...@connective.be]

Verzonden: dinsdag 10 maart 2015 15:22
Aan: eid...@googlegroups.com
Onderwerp: Re: Belgium EID and Apache proxy setup

Hi Wouter,

thanks for replying but we found the issue.

The problem was that the CA chain on the server was not complete, so we could never retrieve the
clients certificate, hence the error message.

Regards,
Vincent

On Tuesday, March 10, 2015 at 11:12:18 AM UTC+1, Verhelst Wouter wrote:
Hi Vincent,

It looks to me like what's happening is a failure of the OCSP checks:

[Fri Mar 06 09:50:58.051579 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH01918: no OCSP responder specified in certificate and no default configured

which is strange, because the certificates on the card do actually contain a OCSP URL.

To verify if this fixes the issue, you could try disabling OCSP checks for a moment. If that works, we need to figure out why that part doesn't work.

Regards,

--
Wouter Verhelst
________________________________________

Van: eid...@googlegroups.com<javascript:> [eid...@googlegroups.com<javascript:>] namens Vincent Van der Kussen [vincent.va...@connective.be<javascript:>]

Verzonden: vrijdag 6 maart 2015 9:59

Aan: eid...@googlegroups.com<javascript:>

[Fri Mar 06 09:50:57.328487 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH01964: Connection to child 3 established (server beid.mydomain.tld:443)
[Fri Mar 06 09:50:57.329076 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1913): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02043: SSL virtual host for servername beid.mydomain.tld found
[Fri Mar 06 09:50:57.391701 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1846): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Fri Mar 06 09:50:57.440767 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(224): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02034: Initial (No.1) HTTPS request received for child 3 (server beid.mydomain.tld:443)
[Fri Mar 06 09:50:57.440947 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(572): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02255: Changed client verification type will force renegotiation
[Fri Mar 06 09:50:57.440959 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02221: Requesting connection re-negotiation
[Fri Mar 06 09:50:57.440986 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(772): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Fri Mar 06 09:50:57.441136 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02226: Awaiting re-negotiation handshake
[Fri Mar 06 09:50:57.484109 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1913): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02043: SSL virtual host for servername beid.mydomain.tld found
[Fri Mar 06 09:50:58.051292 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02275: Certificate Verification, depth 4, CRL checking mode: none [subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 020000B9 / notbefore: May 12 18:46:00 2000 GMT / notafter: May 12 23:59:00 2025 GMT]
[Fri Mar 06 09:50:58.051560 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02275: Certificate Verification, depth 3, CRL checking mode: none [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.051579 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH01918: no OCSP responder specified in certificate and no default configured
[Fri Mar 06 09:50:58.051607 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.051757 2015] [ssl:error] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Fri Mar 06 09:50:58.052159 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02275: Certificate Verification, depth 4, CRL checking mode: none [subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 020000B9 / notbefore: May 12 18:46:00 2000 GMT / notafter: May 12 23:59:00 2025 GMT]
[Fri Mar 06 09:50:58.052283 2015] [ssl:debug] [pid 29902] ssl_engine_kernel.c(1383): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02275: Certificate Verification, depth 3, CRL checking mode: none [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.052295 2015] [ssl:debug] [pid 29902] ssl_engine_ocsp.c(78): [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH01918: no OCSP responder specified in certificate and no default configured
[Fri Mar 06 09:50:58.052319 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Cybertrust Global Root,O=Cybertrust\\, Inc / issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE / serial: 07273325 / notbefore: Aug 18 19:11:52 2010 GMT / notafter: Aug 18 19:11:06 2020 GMT]
[Fri Mar 06 09:50:58.052451 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH02008: SSL library error 1 in handshake (server beid.mydomain.tld:443)

[Fri Mar 06 09:50:58.052487 2015] [ssl:info] [pid 29902] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

[Fri Mar 06 09:50:58.052494 2015] [ssl:info] [pid 29902] [client 192.168.9.26:54660<http://192.168.9.26:54660>] AH01998: Connection closed to child 3 with abortive shutdown (server beid.mydomain.tld:443)

Regards,
Vincent

--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.

Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com<javascript:><mailto:eid-mw+un...@googlegroups.com<javascript:>>.
Als je een bericht in deze groep wilt plaatsen, stuur je een e-mail naar eid...@googlegroups.com<javascript:><mailto:eid...@googlegroups.com<javascript:>>.

Bezoek deze groep op http://groups.google.com/group/eid-mw.
Ga naar https://groups.google.com/d/optout voor meer opties.

--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.

Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com<mailto:eid-mw+un...@googlegroups.com>.