Project

General

Profile

[Solved] SSL Client authentification doesn't work

Added by Julius about 10 years ago

Hi all,

I am trying to authentificate a client via Certificat but it doesn't work.
I am using an embedded Linux version 2.6.34.7. My lighttpd Version is 1.4.31.

My config file looks so:

server.bind = "192.168.200.110"
ssl.engine = "enable"
ssl.pemfile = "/config/hiawatha/cert/server/server.pem"
ssl.ca-file = "/config/hiawatha/cert/ca/ca-cert.pem"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.depth = 10

I have made alle certificats with openssl.
I also have made a p12 file for the browser(Firefox 11.0 Ubuntu) and import it.

This is the errorcode from Firefox
(Fehlercode: ssl_error_bad_cert_alert)

Thanks in advance
Julius


Replies (10)

RE: SSL Client authentification doesn't work - Added by carpii about 10 years ago

Whats in lighties error log?

RE: SSL Client authentification doesn't work - Added by Julius about 10 years ago

Following message is in the error log
(connections.c.305) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

I noticed that it works sometimes and sometimes not.

RE: SSL Client authentification doesn't work - Added by Grundor over 5 years ago

It's a 5 years old post but Even today we still receiving the same error.
The same configuration works in apache, however in lighttpd it does not.
Lighttpd:
lighttpd/1.4.45 (ssl) - a light and fast webserver

Build-Date: Jan 17 2017 18:29:13

Event Handlers:

        + select (generic)
        + poll (Unix)
        + epoll (Linux 2.6)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        - kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + linux-sendfile
        - freebsd-sendfile
        - darwin-sendfile
        - solaris-sendfilev
        + writev
        + write
        - mmap support

Features:

        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL Support
        + PCRE support
        + MySQL support
        + Kerberos support
        + LDAP support
        - memcached support
        + FAM support
        + LUA support
        - xml support
        - SQLite support
        + GDBM support

CentOS 7.2

LOG:

(connections-glue.c.200) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

http://serverfault.com/questions/836870/error-ssl3-get-client-certificatepeer-did-not-return-a-certificate-on-lighttp

RE: SSL Client authentification doesn't work - Added by gstrauss over 5 years ago

Have you looked through Docs_SSL ?

Perhaps you have omitted details of your specific configuration? If you provide more details how to reproduce your issue, then the easier it is, the more likely it is that the problem will be fixed.

There are other open issues and feature requests for TLS in lighttpd, including #2562, #2319, #2692, #2694 Are any of them related to your issue?

RE: SSL Client authentification doesn't work - Added by Grundor over 5 years ago

The configuration is as follow:

$SERVER["socket"] == ":443" {
            protocol     = "https://" 
            ssl.engine   = "enable" 
            ssl.disable-client-renegotiation = "enable" 

            #server.name = "mywebsite.com" 
            ssl.pemfile               = "/etc/lighttpd/ssl/mywebsite.com.pem" 
            ssl.ca-file               = "/etc/lighttpd/ssl/global.pem" 

            ssl.ec-curve              = "secp384r1" 
            ssl.use-sslv2 = "disable" 
            ssl.use-sslv3 = "disable" 
            ssl.honor-cipher-order    = "enable" 
            #ssl.cipher-list           = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" 

            # HSTS(15768000 seconds = 6 months)
            #setenv.add-response-header  = (
            #   "Strict-Transport-Security" => "max-age=15768000;" 
            #)

            #ask for client cert
            ssl.verifyclient.exportcert = "enable" 
            ssl.verifyclient.activate   = "enable" 
            ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
            ssl.verifyclient.enforce    = "enable" 
            ssl.verifyclient.depth      = 3
        }
    }

The Docs_SSL doesn't provide enough information to enable users to use "verifyclient" variables, such as usage examples.

global.pem (267 KB) global.pem Global Truested CAs

RE: SSL Client authentification doesn't work - Added by gstrauss over 5 years ago

The Docs_SSL doesn't provide enough information to enable users to use "verifyclient" variables, such as usage examples.

While that is likely a fair criticism, your post above also provides very little in the way of how to reproduce your problem. Your full config has not been provided (lighttpd -f /etc/lighttpd/lighttpd.conf -p). Please xxxxx out any sensitive information. What module are you loading has the protocol directive? What client browser are you using and how have you configured it? What steps do you take (in detail) to trigger the issue?

RE: SSL Client authentification doesn't work - Added by Grundor over 5 years ago

While that is likely a fair criticism,(...)

My argument is based in a simple comparative:

Lighttpd:
"ssl.verifyclient.activate: enable/disable client verification" . We only have short descriptions for all other ssl.verifyclient.* variables.

Apache:
The text is so big that I'll do not past here, but you can check at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient . Its take a complete explanation and some examples, usage considerations, et cetera.

Whatever, I'll try provide more information how to trigger this issue.

How to reproduce:

- Install Lighttpd from one of yum repositories (at CentOS 7)
- Proceed with a valid certificate installation, using PEM file (cert+key)
- Enable Verify Client
- Try to access the host/url that have it enabled.
- Is expected that browser prompt a certificate selection , but nothing happens.
- At server error log is possible to see this error:

(connections-glue.c.200) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

To debug it I suggest use incognito window because the selected (nothing) will be stored for next requests.

My lighttpd -f /etc/lighttpd/lighttpd.conf -p output (with some obfuscations) is in Attachment.

Please let me know if I can provide more information.

RE: SSL Client authentification doesn't work - Added by gstrauss over 5 years ago

This looks incorrect in your config:

ssl.ca-file                      = "/etc/lighttpd/ssl/exampleplatform.info.csr" 
...
ssl.ca-file                      = "/etc/lighttpd/ssl/origin-pull-ca.pem" 
...
ssl.ca-file                      = "/etc/lighttpd/ssl/anoter_example.com.csr" 

The ssl.ca-file should be a certificate (e.g. *.crt), not a certificate signing request (e.g. *.csr)
Please verify the contents of these files.

If you are using a custom CA, then make sure ssl.ca-file contains the cert of the server which signed the client certs.

You might also get some hints from a nice article using custom CA and client certs with lighttpd:
https://schnouki.net/posts/2014/08/12/lighttpd-and-ssl-client-certificates/

RE: SSL Client authentification doesn't work - Added by Grundor over 5 years ago

The ssl.ca-file reads the content, you can call any file type here, even a .txt it doesn't matter for lighttpd if the content is a certificate or a certificate chain.

When you enable ssl.verifyclient.activate, the lighttpd will request certificate that has sing by root CA certificate(s) inside of ca-file.

If I want to use a 3rd-party certificate, for example, ICP-Brazil¹ in my case, that is the root of all personal certificates, it's called "digital document" here. This certificate is signed by this entity and is the proof that you are really you and it has a legal weight in your court. ICP-Brazil has today 5 versions of their root certificate, so if my system should support legacy certificate (that could be until 6 years of validity), It means I need to put more than one certificate at ssl.ca-file.

About the error:

(connections.c.305) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
It's happening because some reasons:
  • The client doesn't have any valid certificate (that match with root certificates at ssl. CA-file)
  • The connection as interrupted before the ssl handshake completes. It can be caused by a very long time to choice the certificate or enter the certificate password, or even a network restart.
  • You're using a CDN network (I got the espectes result when I add an exception for this call), the connection between client and server should be direct. end-to-end

So I conclude that this is not really a bug to be corrected, but rather limitations of the ssl hand shaking technology.

¹ http://www.iti.gov.br/icp-brasil

RE: SSL Client authentification doesn't work - Added by gstrauss over 5 years ago

Thanks for the update and I am glad things are working for you. I hope this will help others, and I'll update the doc to add a note about CDNs.

    (1-10/10)