Bug 220201 - problem between switch on ports with no certificate required to a port with certificate required
Summary: problem between switch on ports with no certificate required to a port with c...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: mod_ssl
Version: 4.4
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-19 16:57 UTC by Kleber Leal
Modified: 2007-11-17 01:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-01-31 17:45:11 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ssl.conf ssl_erro_log and test sites (8.06 KB, text/plain)
2006-12-19 16:57 UTC, Kleber Leal 		no flags Details
View All

Description Kleber Leal 2006-12-19 16:57:18 UTC 
Description of problem:
There is a error on mod_ssl module. 

Version-Release number of selected component (if applicable):
2.0.46.61.ent

How reproducible:
1



Steps to Reproduce:
1.make a site running on 443 port with no certificate required with a link to
the same host with a port 8443. The port 8443 should request the client certificate.
2.your server should accept certificates from a ca (on my case from a internal
ca)                                                                               
3.access the site (simple site is attached)

  
Actual results:
The browser say This page cannot be displied and the apache server logged No
acceptable peer certificate available.

the LogLevel of the webserver was set with debug.
i put the ssl_error_log on attachment.

Expected results:
when click on link to url:port with certificate required, the server should
requeste a certificate and browser should request to user choose the certified
on list.
when select the certificate and send it, the second site should be open on screen.
Additional info:
The error occurs only if the actual url is equal, changing only the port number.
On tests, the site was url https://blabla.com.br (with no certificate required)
and the link to https://blabla.com.br:8443 (with certificate required).

ps: on screen with a error (This page cannot be displied) if you copy the url
and past on other window browser the certificate is requested and you can access
the site.

The error seems ocurr only on IE (6 e 7 was tested), but with Firefox the
application (on WebSphere) cannot receive data from certificate.
Comment 1 Kleber Leal 2006-12-19 16:57:18 UTC 
Created attachment 144015 [details]
ssl.conf ssl_erro_log and test sites
Comment 2 Joe Orton 2007-01-04 15:59:28 UTC 
Thanks for the report.  To be clear, is Firefox working exactly as expected, the
browser is supplying the requested certificate when connected to the :8443 vhost?

There is a misconfiguration here though I'm not sure it it makes any difference.

Inside the vhost blocks, the servernames:

ServerName xxxxxxxxxxxxxxx.gov.br

should have the ":port" appended (:443 and :8443 appropriately).

There is no attempt to renegotiate logged which is odd.

In the :8443 vhost, if you nest the

SSLVerifyClient require
SSLVerifyDepth  10

as:

<Location />
  SSLVerifyClient require
  SSLVerifyDepth  10
</Location>

does that make a difference?
Comment 3 Kleber Leal 2007-01-17 12:17:28 UTC 
Hi Orton, thanks for help.
Using your sugestion i solve the problem.
I just add the port number on ServerName.
(ServerName xxxxxxxxxxxxxxx.gov.br:443 and
ServerName xxxxxxxxxxxxxxx.gov.br:8443)

The bug can be closed.

Kléber
Comment 4 Joe Orton 2007-01-31 17:45:11 UTC 
Thanks for letting us know.
Note You need to log in before you can comment on or make changes to this bug.