【发布时间】:2019-07-15 23:40:10
【问题描述】:
在我的 apache 网络服务器中有一条路径,客户端必须使用有效证书进行身份验证。
有时有一个客户端(soap - webservice)无法连接,我的 apache 返回 403 "sslv3 alert bad certificate (SSL alert number 42) -- 证书中的主题 CN 不是服务器名称或与 CA 相同!? "我需要检查它使用的原因和证书。
我为 mod_ssl 设置 trace3 日志级别和一个这样的自定义日志:
CustomLog /var/log/httpd-ssl.log "%t %h \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s \"%{SSL_CLIENT_S_DN_CN}x\" <<<%{SSL_CLIENT_CERT}x>>>"
<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel trace3
</IfModule>
在第一个文件日志中,我可以看到可以连接的客户端的所有信息,但是当客户端失败时,没有有用的信息:
[16/Feb/2019:11:01:43 +0100] XXX.XXX.XXX.XXX "IBM WebServices/1.0" - - "POST MYSECRETPATH HTTP/1.1" 403 "-" <<<->>>
在第二个中,我可以看到一些信息,例如:
[Thu Feb 21 13:57:55.288418 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(359): [client xxx.xxx.xxx.xxx:56892] AH02034: Initial (No.1) HTTPS request received for child 5 (server XXX.XXX.XXX:443)
[Thu Feb 21 13:57:55.288591 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(743): [client xxx.xxx.xxx.xxx:56892] AH02255: Changed client verification type will force renegotiation
[Thu Feb 21 13:57:55.557866 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02221: Requesting connection re-negotiation
[Thu Feb 21 13:57:55.557902 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(970): [client xxx.xxx.xxx.xxx:56892] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Feb 21 13:57:55.557919 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.557932 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSL renegotiate ciphers
[Thu Feb 21 13:57:55.557948 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request A
[Thu Feb 21 13:57:55.557978 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.557986 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request C
[Thu Feb 21 13:57:55.557996 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02226: Awaiting re-negotiation handshake
[Thu Feb 21 13:57:55.558005 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.558016 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: before accept initialization
[Thu Feb 21 13:57:55.590106 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(2141): [client xxx.xxx.xxx.xxx:56892] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Thu Feb 21 13:57:55.590134 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 read client hello A
[Thu Feb 21 13:57:55.590146 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write server hello A
[Thu Feb 21 13:57:55.590177 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate A
[Thu Feb 21 13:57:55.590190 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate request A
[Thu Feb 21 13:57:55.590217 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.887495 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2001): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Read: SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887530 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2020): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Exit: failed in SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887538 2019] [ssl:error] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02261: Re-negotiation handshake failed
[Thu Feb 21 13:57:55.887567 2019] [ssl:error] [pid 99609] SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?
[Thu Feb 21 13:57:55.887578 2019] [core:trace3] [pid 99609] request.c(117): [client xxx.xxx.xxx.xxx:56892] auth phase 'check access (with Satisfy All)' gave status 403: /my/secret/path
[Thu Feb 21 13:57:55.887611 2019] [http:trace3] [pid 99609] http_filters.c(1003): [client xxx.xxx.xxx.xxx:56892] Response sent with status 403
但是没有什么真正有用的东西。
我想记录/写入 apache 正在读取但不接受的证书。如何记录?
【问题讨论】:
-
如果像我这样的人来谷歌搜索“apache2 日志客户端证书” - 这里的关键部分是
"<<<%{SSL_CLIENT_CERT}x>>>"。我能够使用以下配置记录客户端证书:LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %{SSL_CLIENT_CERT}x" ssl_extended CustomLog "/var/log/httpd-ssl.log" ssl_extended
标签: apache ssl client-certificates