Apache客户端身份验证OCSP响应器问题

时间:2018-03-11 15:59:40

标签: apache ssl openssl ocsp ssl-client-authentication

我遇到了在Windows上设置Apache 2.4.29以使用工作的OCSP响应程序进行客户端身份验证的问题。当OCSP响应器关闭时,客户端身份验证工作正常。我也能够验证我的客户证书状态是好的"当我手动使用OpenSSL向OCSP响应者发出请求时。这只是在Apache中使用它时的一个问题......

证书颁发机构(我作为我自己的CA):

  • Root CA>中级CA

  • 中间CA>客户证书1

  • 中间CA> OCSP签名证书

证书文件

  • ca-chain.cert.pem(根CA和中级CA证书)

  • intermediate.cert.pem(中级CA证书)

  • ocsp.mydomain.com.cert.pem(OCSP签名证书)

  • client1.cert.pem(客户端证书)

Windows安装程序

  • 将根CA和中间CA证书导入"受信任的根证书颁发机构"和#34;中级证书颁发机构"分别与其私钥(导入为.pfx)
  • 一起存储
  • 将客户证书导入"个人"证书存储及其私钥(导入为.pfx)

OCSP Responder服务器

openssl ocsp -port ocsp.mydomain.com:2560 -text -sha256 \
    -index intermediate/index.txt \
    -CA intermediate/certs/ca-chain.cert.pem \
    -rkey intermediate/private/ocsp.mydomain.com.key.pem \
    -rsigner intermediate/certs/ocsp.mydomain.com.cert.pem

手动OCSP请求(只是确认所有设置都在Apache之外)

  • 请求

    openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \
        -url http://ocsp.mydomain.com:2560 -resp_text \
        -issuer intermediate/certs/intermediate.cert.pem \
        -cert intermediate/certs/client1.cert.pem
    
  • 响应(...表示一些排除的详细输出,并且实际上不在响应中)

    ...
    Certificate ID:
        ...
        Issuer Key Hash: 6FBE86C0DE4500EE4945D1ECC3E41F9DACF5CEEC
        ...
    ...
    Response verify OK
    intermediate/certs/client1.cert.pem: good
    
  • "发行人密钥哈希"以上匹配客户证书"授权密钥标识符"在我的"个人"证书店,一切都很好看

Apache设置

SSLVerifyClient require
SSLVerifyDepth 10
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://ocsp.mydomain.com:2560"
SSLCACertificateFile "${SRVROOT}/conf/ssl/ca-chain.cert.pem"

Apache错误

库错误:OCSP_basic_verify:root ca不受信任(下面的日志信息)

    1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
    1975: sending request to OCSP responder
    AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: B0992B306BCDD3BD / notbefore: Mar 10 21:09:10 2018 GMT / notafter: Mar  5 21:09:10 2038 GMT]
    AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar  7 21:20:32 2028 GMT]
    _util_ocsp.c(96):1973: connecting to OCSP responder 'ocsp.mydomain.com:2560'
    _util_ocsp.c(124):1975: sending request to OCSP responder
    _util_ocsp.c(234): 1981: OCSP response header: Content-type: application/ocsp-response
    _util_ocsp.c(234): 1981: OCSP response header: Content-Length: 2270
    _util_ocsp.c(282): 1987: OCSP response: got 2270 bytes, 2270 total
    1925: failed to verify the OCSP response
    Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted
    AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=Generic Code Intermediate CA,O=Generic Code,ST=New York,C=US / issuer: CN=Generic Code Root CA,O=Generic Code,ST=New York,C=US / serial: 1000 / notbefore: Mar 10 21:20:32 2018 GMT / notafter: Mar  7 21:20:32 2028 GMT]
    2008: library error 1 in handshake (server localhost:443)
    Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    1998: Connection closed to child 38 with abortive shutdown (server localhost:443)

Apache命中时的OCSP响应服务器错误响应

  • 响应(...表示一些排除的详细输出,并且实际上不在响应中)

    ...
    Certificate ID:
        ...
        Issuer Key Hash: 79D4440D1471385397B194EF1038CEEEEFBBAC24
        ...
    Cert Status: unknown
    ...
    
  • "发行人密钥哈希"以上匹配根CA 证书"授权密钥标识符"在我的"受信任的根证书颁发机构"证书店,WTF?为什么呢?

任何人都可以看到我所做的事情有什么不妥,或者知道为什么这不起作用?

1 个答案:

答案 0 :(得分:0)

我得到了这个工作。

  • 使用OCSP信息重新发布中间CA
  • 为中间CA设置第二个OCSP响应器以获取OCSP信息,第二个OCSP响应者签名证书由根CA签名
  • 重新进行测试,现在一切都很好

看起来mod_ssl必须验证整个证书链,而不是停留在客户端证书本身。我希望它是可配置的,但目前还不是......