Apache 客户端身份验证 OCSP 响应程序问题
Apache client authentication OCSP responder issue
我在 Windows 上设置 Apache 2.4.29 以使用有效的 OCSP 响应程序进行客户端身份验证时遇到问题。当 OCSP 响应程序关闭时,客户端身份验证工作正常。当我手动使用 OpenSSL 向 OCSP 响应程序发出请求时,我还能够验证我的客户端证书状态是 "good"。这只是在 Apache 中使用它时的一个问题...
证书颁发机构(我作为我自己的CA):
根 CA > 中间 CA
中间 CA > 客户端证书 1
中间 CA > OCSP 签名证书
证书文件
ca-chain.cert.pem(根CA和中间CA证书)
intermediate.cert.pem(中级CA证书)
ocsp.mydomain.com.cert.pem(OCSP 签名证书)
client1.cert.pem(客户端证书)
Windows 设置
- 根 CA 和中间 CA 证书连同它们的私钥(导入为 .pfx)分别导入到 "Trusted Root Certificate Authorities" 和 "Intermediate Certificate Authorities" 存储
- 客户端证书连同其私钥(导入为 .pfx)一起导入到 "Personal" 证书存储区
OCSP 响应服务器
openssl ocsp -port ocsp.mydomain.com:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chain.cert.pem \
-rkey intermediate/private/ocsp.mydomain.com.key.pem \
-rsigner intermediate/certs/ocsp.mydomain.com.cert.pem
手动 OCSP 请求(只是为了确认所有设置都在 Apache 之外)
请求
openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \
-url http://ocsp.mydomain.com:2560 -resp_text \
-issuer intermediate/certs/intermediate.cert.pem \
-cert intermediate/certs/client1.cert.pem
响应(...代表一些排除的详细输出并且实际上不在响应中)
...
Certificate ID:
...
Issuer Key Hash: 6FBE86C0DE4500EE4945D1ECC3E41F9DACF5CEEC
...
...
Response verify OK
intermediate/certs/client1.cert.pem: good
上面的 "Issuer Key Hash" 与我的 "Personal" 证书库中的客户端证书 "Authority Key Identifier" 匹配,一切看起来都不错
Apache 设置
SSLVerifyClient require
SSLVerifyDepth 10
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://ocsp.mydomain.com:2560"
SSLCACertificateFile "${SRVROOT}/conf/ssl/ca-chain.cert.pem"
Apache 错误
库错误:OCSP_basic_verify:root 不可信(日志信息如下)
1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
1975: sending request to OCSP responder
AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: B0992B306BCDD3BD / notbefore: Mar 10 21:09:10 2018 GMT / notafter: Mar 5 21:09:10 2038 GMT]
AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar 7 21:20:32 2028 GMT]
_util_ocsp.c(96):1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
_util_ocsp.c(124):1975: sending request to OCSP responder
_util_ocsp.c(234): 1981: OCSP response header: Content-type: application/ocsp-response
_util_ocsp.c(234): 1981: OCSP response header: Content-Length: 2270
_util_ocsp.c(282): 1987: OCSP response: got 2270 bytes, 2270 total
1925: failed to verify the OCSP response
Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted
AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar 7 21:20:32 2028 GMT]
2008: library error 1 in handshake (server localhost:443)
Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
1998: Connection closed to child 38 with abortive shutdown (server localhost:443)
Apache命中时OCSP Responder服务器错误响应
响应(...代表一些排除的详细输出并且实际上不在响应中)
...
Certificate ID:
...
Issuer Key Hash: 79D4440D1471385397B194EF1038CEEEEFBBAC24
...
Cert Status: unknown
...
上面的 "Issuer Key Hash" 与我的 "Trusted Root Certificate Authorities" 证书库中的 根 CA 证书 "Authority Key Identifier" 匹配,WTF?为什么?
任何人都可以看到我所做的有什么问题或知道为什么这不起作用吗?
我成功了。
- 使用 OCSP 信息重新颁发中间 CA
- 为Intermediate CA上的OCSP信息设置第二个OCSP responder,第二个OCSP responder signing certificate是由根CA签署的
- 重新运行测试,现在一切正常
看起来 mod_ssl 必须验证整个证书链而不是在客户端证书本身停止。我希望它是可配置的,但现在不能...
我在 Windows 上设置 Apache 2.4.29 以使用有效的 OCSP 响应程序进行客户端身份验证时遇到问题。当 OCSP 响应程序关闭时,客户端身份验证工作正常。当我手动使用 OpenSSL 向 OCSP 响应程序发出请求时,我还能够验证我的客户端证书状态是 "good"。这只是在 Apache 中使用它时的一个问题...
证书颁发机构(我作为我自己的CA):
根 CA > 中间 CA
中间 CA > 客户端证书 1
中间 CA > OCSP 签名证书
证书文件
ca-chain.cert.pem(根CA和中间CA证书)
intermediate.cert.pem(中级CA证书)
ocsp.mydomain.com.cert.pem(OCSP 签名证书)
client1.cert.pem(客户端证书)
Windows 设置
- 根 CA 和中间 CA 证书连同它们的私钥(导入为 .pfx)分别导入到 "Trusted Root Certificate Authorities" 和 "Intermediate Certificate Authorities" 存储
- 客户端证书连同其私钥(导入为 .pfx)一起导入到 "Personal" 证书存储区
OCSP 响应服务器
openssl ocsp -port ocsp.mydomain.com:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chain.cert.pem \
-rkey intermediate/private/ocsp.mydomain.com.key.pem \
-rsigner intermediate/certs/ocsp.mydomain.com.cert.pem
手动 OCSP 请求(只是为了确认所有设置都在 Apache 之外)
请求
openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \ -url http://ocsp.mydomain.com:2560 -resp_text \ -issuer intermediate/certs/intermediate.cert.pem \ -cert intermediate/certs/client1.cert.pem响应(...代表一些排除的详细输出并且实际上不在响应中)
... Certificate ID: ... Issuer Key Hash: 6FBE86C0DE4500EE4945D1ECC3E41F9DACF5CEEC ... ... Response verify OK intermediate/certs/client1.cert.pem: good上面的 "Issuer Key Hash" 与我的 "Personal" 证书库中的客户端证书 "Authority Key Identifier" 匹配,一切看起来都不错
Apache 设置
SSLVerifyClient require
SSLVerifyDepth 10
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://ocsp.mydomain.com:2560"
SSLCACertificateFile "${SRVROOT}/conf/ssl/ca-chain.cert.pem"
Apache 错误
库错误:OCSP_basic_verify:root 不可信(日志信息如下)
1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
1975: sending request to OCSP responder
AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: B0992B306BCDD3BD / notbefore: Mar 10 21:09:10 2018 GMT / notafter: Mar 5 21:09:10 2038 GMT]
AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar 7 21:20:32 2028 GMT]
_util_ocsp.c(96):1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
_util_ocsp.c(124):1975: sending request to OCSP responder
_util_ocsp.c(234): 1981: OCSP response header: Content-type: application/ocsp-response
_util_ocsp.c(234): 1981: OCSP response header: Content-Length: 2270
_util_ocsp.c(282): 1987: OCSP response: got 2270 bytes, 2270 total
1925: failed to verify the OCSP response
Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted
AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar 7 21:20:32 2028 GMT]
2008: library error 1 in handshake (server localhost:443)
Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
1998: Connection closed to child 38 with abortive shutdown (server localhost:443)
Apache命中时OCSP Responder服务器错误响应
响应(...代表一些排除的详细输出并且实际上不在响应中)
... Certificate ID: ... Issuer Key Hash: 79D4440D1471385397B194EF1038CEEEEFBBAC24 ... Cert Status: unknown ...上面的 "Issuer Key Hash" 与我的 "Trusted Root Certificate Authorities" 证书库中的 根 CA 证书 "Authority Key Identifier" 匹配,WTF?为什么?
任何人都可以看到我所做的有什么问题或知道为什么这不起作用吗?
我成功了。
- 使用 OCSP 信息重新颁发中间 CA
- 为Intermediate CA上的OCSP信息设置第二个OCSP responder,第二个OCSP responder signing certificate是由根CA签署的
- 重新运行测试,现在一切正常
看起来 mod_ssl 必须验证整个证书链而不是在客户端证书本身停止。我希望它是可配置的,但现在不能...