SSL client certificate from Windows certificate store
423 views
Skip to first unread message
Thomas Åkesson
Nov 8, 2016, 7:26:32 AM11/8/16
to us...@tortoisesvn.tigris.org
Hello,
Since a few years it is possible to import a client certificate into the Windows / IE certificate store called “Personal”. In most cases TortoiseSVN and the bundled command line tools will correctly find a suitable client certificate if found in the Windows certificate store. I am confident that the decision is made using the hints that the https server provides during the handshake (what openssl displays as “Acceptable client certificate CA names”).
I am investigating an issue where, in rare cases, the correct certificate is not presented to the server despite being available in the Windows Personal certificate store. The same certificate works on other servers which leads me to believe it is related to the order or exact content of “Acceptable client certificate CA names”.
I will continue investigation until it is fully isolated. What I need help with is a pointer to which code interacts with Windows Personal certificate store and makes the decision to present a certificate?
- I have looked at the TSVN code base without finding anything. Have I missed it?
- I doubt the code is in the core Subversion project because other builds of svn has (at least historically) not supported the Windows certificate store.
- Should I be looking at Serf or OpenSSL?
To be clear, I am fully aware of the ability to configure client cert in servers file. We used that historically (cumbersome with non-techie uses).
Thanks in advance,
Thomas Å.
Thomas Åkesson
Nov 8, 2016, 12:23:16 PM11/8/16
to us...@tortoisesvn.tigris.org
Hello again,
Found that OpenSSL does read the Windows “MY” / Personal store.
- ./ext/openssl/engines/e_capi.c
- There is also e_capi.patch.
- Hash of the complete acceptable CA list is stored in the registry key “HKEY_CURRENT_USER\Software\TortoiseSVN\CAPIAuthz”.
- Found code that compares the certificate with STACK_OF(X509_NAME) which is likely the CA hint from the server.
The code looks good, unable to find anything obvious.
I have servers on both Apache 2.2 and 2.4. I also have certificates issued from the same CA but with different intermediates, different depth actually (2 vs 3).
The only combination that does not work is the certificate with depth 3 against Apache 2.4 when the certificate is in the Windows certificate store. Using the same p12 file configured in servers file works fine against Apache 2.4.
Kind of odd.
/Thomas Å.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193130
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
Found that OpenSSL does read the Windows “MY” / Personal store.
- ./ext/openssl/engines/e_capi.c
- There is also e_capi.patch.
- Hash of the complete acceptable CA list is stored in the registry key “HKEY_CURRENT_USER\Software\TortoiseSVN\CAPIAuthz”.
- Found code that compares the certificate with STACK_OF(X509_NAME) which is likely the CA hint from the server.
The code looks good, unable to find anything obvious.
I have servers on both Apache 2.2 and 2.4. I also have certificates issued from the same CA but with different intermediates, different depth actually (2 vs 3).
The only combination that does not work is the certificate with depth 3 against Apache 2.4 when the certificate is in the Windows certificate store. Using the same p12 file configured in servers file works fine against Apache 2.4.
Kind of odd.
/Thomas Å.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193130
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
David Balažic
Nov 8, 2016, 12:50:58 PM11/8/16
to us...@tortoisesvn.tigris.org
Does it work when using IE to access the server?
What is the exact error?
Note that apache requires have the root (topmost) signing CA in its trusted CA list.
Also check the SSLVerifyDepth setting of apache/mod_ssl.
David Balažic
Software Engineer
www.comtrade.com
> unsub...@tortoisesvn.tigris.org].
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193135
What is the exact error?
Note that apache requires have the root (topmost) signing CA in its trusted CA list.
Also check the SSLVerifyDepth setting of apache/mod_ssl.
David Balažic
Software Engineer
www.comtrade.com
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193135
Thomas Åkesson
Nov 9, 2016, 4:59:29 AM11/9/16
to us...@tortoisesvn.tigris.org
Thanks for your input.
> Does it work when using IE to access the server?
Yes, IE and Chrome works fine.
> What is the exact error?
TortoiseSVN, just the generic:
svn: E120171: Error running context: An error occurred during SSL communication
In the Apache server log:
[2016-11-09 09:46:39.963523] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1970): [client 83.218.70.138:58528] OpenSSL: Handshake: start
[2016-11-09 09:46:39.963538] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: before/accept initialization
[2016-11-09 09:46:39.963555] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 11/11 bytes from BIO#7f2004003be0 [mem: 7f200400f380] (BIO dump follows)
[2016-11-09 09:46:39.963582] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 506/506 bytes from BIO#7f2004003be0 [mem: 7f200400f38e] (BIO dump follows)
[2016-11-09 09:46:39.963614] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2096): [client 83.218.70.138:58528] AH02043: SSL virtual host for servername … found
[2016-11-09 09:46:39.963643] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963651] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 75/75 bytes to BIO#7f2004004140 [mem: 7f20040174d3] (BIO dump follows)
[2016-11-09 09:46:39.963670] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963683] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 3212/3212 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.963693] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965110] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 338/338 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965122] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965162] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 4096/4096 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965169] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 1346/1346 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965176] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965200] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 875/875 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965218] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:40.049290] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2065): [client 83.218.70.138:58528] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f2004003be0 [mem: 7f2004011003]
[2016-11-09 09:46:40.049434] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049491] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049549] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_io.c(1227): (70014)End of file found: [client 83.218.70.138:58528] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[2016-11-09 09:46:40.049602] [ssl:info] [pid 18909:tid 139775306540800] [client 83.218.70.138:58528] AH01998: Connection closed to child 86 with abortive shutdown (server …)
My interpretation is that the client does not present any certificate. Strange, because an entry is created in CAPIAuthz which means the certificate was found by e_capi.c. Perhaps the certificate triggers an error somewhere in the client but an error that is not triggered when the same cert is used from p12-file…
When connecting with IE/Chrome I can see the whole depth of CA certs validated in the Apache log.
> Note that apache requires have the root (topmost) signing CA in its trusted CA list.
Yes, I thinks it is correct. The same cert works with IE/Chrome and with Tortoise when configured as p12-file.
> Also check the SSLVerifyDepth setting of apache/mod_ssl.
Yes, it is set to 10.
Is there any way to get stderr or other logging from TortoiseSVN / the bundled svn command?
Thanks,
Thomas Å.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193230
> Does it work when using IE to access the server?
> What is the exact error?
svn: E120171: Error running context: An error occurred during SSL communication
In the Apache server log:
[2016-11-09 09:46:39.963523] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1970): [client 83.218.70.138:58528] OpenSSL: Handshake: start
[2016-11-09 09:46:39.963538] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: before/accept initialization
[2016-11-09 09:46:39.963555] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 11/11 bytes from BIO#7f2004003be0 [mem: 7f200400f380] (BIO dump follows)
[2016-11-09 09:46:39.963582] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 506/506 bytes from BIO#7f2004003be0 [mem: 7f200400f38e] (BIO dump follows)
[2016-11-09 09:46:39.963614] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2096): [client 83.218.70.138:58528] AH02043: SSL virtual host for servername … found
[2016-11-09 09:46:39.963643] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963651] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 75/75 bytes to BIO#7f2004004140 [mem: 7f20040174d3] (BIO dump follows)
[2016-11-09 09:46:39.963670] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963683] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 3212/3212 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.963693] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965110] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 338/338 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965122] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965162] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 4096/4096 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965169] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 1346/1346 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965176] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965200] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 875/875 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965218] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:40.049290] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2065): [client 83.218.70.138:58528] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f2004003be0 [mem: 7f2004011003]
[2016-11-09 09:46:40.049434] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049491] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049549] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_io.c(1227): (70014)End of file found: [client 83.218.70.138:58528] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[2016-11-09 09:46:40.049602] [ssl:info] [pid 18909:tid 139775306540800] [client 83.218.70.138:58528] AH01998: Connection closed to child 86 with abortive shutdown (server …)
My interpretation is that the client does not present any certificate. Strange, because an entry is created in CAPIAuthz which means the certificate was found by e_capi.c. Perhaps the certificate triggers an error somewhere in the client but an error that is not triggered when the same cert is used from p12-file…
When connecting with IE/Chrome I can see the whole depth of CA certs validated in the Apache log.
> Note that apache requires have the root (topmost) signing CA in its trusted CA list.
> Also check the SSLVerifyDepth setting of apache/mod_ssl.
Is there any way to get stderr or other logging from TortoiseSVN / the bundled svn command?
Thanks,
Thomas Å.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193230
Thomas Åkesson
Nov 9, 2016, 5:13:36 AM11/9/16
to us...@tortoisesvn.tigris.org
> Is there any way to get stderr or other logging from TortoiseSVN / the bundled svn command?
I have tried DebugView according to this StackOverflow:
http://stackoverflow.com/questions/20614894/how-to-debug-something-in-tortoisesvn
It does not show any low level stuff. Nothing when using svn command line.
Thanks,
Thomas Å.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193231
Reply all
Reply to author
Forward
0 new messages