Project

General

Profile

[Solved] mTLS Client ca-file issues when servers CA is not in ca-file. tls_post_process_client_hello:cert cb error / error:00000000:lib(0):func(0):reason(0)

Added by Agossi 2 months ago

Hi,

I am struggling with mTLS setup with lighttpd.

Version:

lighttpd/1.4.60 (ssl) - a light and fast webserver

OpenSSL 1.1.1k  25 Mar 2021

Config:

$SERVER["socket"] == "0.0.0.0:443" {
    server.document-root = "/opt/web/" 
    ssl.engine                 = "enable" 
    ssl.pemfile                = "/certificates/https_server_crt.pem" 
    ssl.dh-file                = "/certificates/dhparams.pem" 
    server.name = "ssl-sever" 

    ssl.openssl.ssl-conf-cmd += ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.use-compression = "disable" 
    ssl.honor-cipher-order = "disable" 
    ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 

    ssl.verifyclient.ca-file   = "/certificates/root-ca.pem" 
    ssl.verifyclient.activate = "enable" 
    ssl.verifyclient.enforce = "enable" 
    ssl.verifyclient.exportcert = "enable" 
    ssl.verifyclient.depth  = 2
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 

}

I am seeing issues when a NOT self signed certificate is used for the server and the CA is not in the ssl.verifyclient.ca-file.

Setup Self Signed:
ssl.pemfile => /certificates/self_signed_server.pem
ssl.verifyclient.ca-file => different CA (not self signed)
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"

=> works as expected as it rejects clients which are not signed by CA of the ssl.verifyclient.ca-file.

But now if I have a signed server certificate:
ssl.pemfile => /certificates/signed_server.pem
ssl.verifyclient.ca-file => different CA (not the one the server cert was signed with)
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"

I get the following errors:

(mod_openssl.c.1115) SSL: building cert chain for TLS server name : error:00000000:lib(0):func(0):reason(0)
(mod_openssl.c.3247) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error

But as from https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL:

ssl.verifyclient.ca-file    path to file for certificate authorities (CA) used for *client certificate* verification (since 1.4.60) (ssl.ca-file before 1.4.60)

I assumed the ssl.verifyclient.ca-file is only used to verify client certificates.

If I removed the ssl.verifyclient.* entries the https:// is working and shown as valid signed, also if I add the CA cert of the CA which signed the signed_server.pem to the ssl.verifyclient.ca-file it is working too.

Can someone please explain why it behaves this way or what I am doing wrong in regards of the client authentication?
Must the server certificates issuer CA always be in the ssl.verifyclient.ca-file to get it work? And why is it working with self signed out of the box?
I assumed the ssl.verifyclient.ca-file is only relevant for client verification?

Many thanks in advance


Replies (4)

RE: mTLS Client ca-file issues when servers CA is not in ca-file. tls_post_process_client_hello:cert cb error / error:00000000:lib(0):func(0):reason(0) - Added by gstrauss 2 months ago

Please read lighttpd TLS docs and follow the configuration recommendations.

ssl.pemfile should contain the server certificate and any intermediates certificates up to the root cert.

If the certificate chain is in ssl.pemfile, then ssl.verifyclient.ca-file is used only for client certificate verification (and ssl.verifyclient.ca-file must contain the appropriate signing certs and root certs for client certificate verification).

If ssl.pemfile contains only the leaf certificate, then a historical openssl "feature" uses ca-file to try to complete the certificate chain, and recent versions of lighttpd try to preserve this behavior in lighttpd TLS modules even though lighttpd recommends that ssl.pemfile contain the certificate chain instead of only the leaf certificate.

You should prefer to use the latest lighttpd release: lighttpd 1.4.64
You should remove all deprecated ssl.* directives.

RE: mTLS Client ca-file issues when servers CA is not in ca-file. tls_post_process_client_hello:cert cb error / error:00000000:lib(0):func(0):reason(0) - Added by Agossi 2 months ago

Thank you very much for this answer, this clarifies a lot and you earned a coffee.

Is there a built in way to prevent lighttpd to start if a incomplete chain is provided so that I can fallback to a well known default config?

As alternative I might have to use

"openssl verify"

before or any better idea?

RE: mTLS Client ca-file issues when servers CA is not in ca-file. tls_post_process_client_hello:cert cb error / error:00000000:lib(0):func(0):reason(0) - Added by gstrauss 2 months ago

Is there a built in way to prevent lighttpd to start if a incomplete chain is provided so that I can fallback to a well known default config?

lighttpd does not perform such a thorough check at startup, since doing so could be an expensive operation to validate a certificate chain if the root cert needs to be obtained from somewhere else on the network or internet, which might result in large latency or might fail.

Since updating certificates is not something which happens frequently (every second or every minute), it is recommended that you validate the certificate chain using openssl verify at the point in time right before you deploy the certificate files. Your search engine will probably turn up some scripts to walk match cert issuer to intermediate cert subject up the chain, ordered from leaf certificate to root certificate. In most cases, the root certificate is optional for ssl.pemfile when there are intermediates.

For most certificate authorities, you should be using the files provided directly from the CA. e.g. for Let's Encrypt:
ssl.pemfile = "/path/to/example.com/fullchain.pem"
ssl.privkey = "/path/to/example.com/privkey.pem"

RE: mTLS Client ca-file issues when servers CA is not in ca-file. tls_post_process_client_hello:cert cb error / error:00000000:lib(0):func(0):reason(0) - Added by gstrauss 2 months ago

I believe that just about everything I have posted here is already documented in the lighttpd TLS documentation including the explanation in lighttpd TLS docs about chained certificates

    (1-4/4)