Apache mod_ssl日志客户端证书

时间:2019-02-21 22:59:45

标签: apache ssl client-certificates

在我的apache网络服务器中,有一条路径,客户端必须使用有效的证书进行身份验证。

有时有一个客户端(肥皂-网络服务)无法连接,我的apache返回403“ sslv3警报错误证书(SSL警报编号42)–证书中的主题CN不是服务器名称或与CA相同!! ”我需要检查原因以及使用的证书。

我为mod_ssl和一个customlog设置了trace3日志级别:

CustomLog /var/log/httpd-ssl.log "%t %h \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s \"%{SSL_CLIENT_S_DN_CN}x\" <<<%{SSL_CLIENT_CERT}x>>>"

<IfModule mod_ssl.c>
    ErrorLog /var/log/apache2/ssl_engine.log
    LogLevel trace3
</IfModule>

在第一个文件日志中,我可以看到可以连接的客户端的所有信息,但是当客户端失败时,没有有用的信息:

[16/Feb/2019:11:01:43 +0100] XXX.XXX.XXX.XXX "IBM WebServices/1.0" - - "POST MYSECRETPATH HTTP/1.1" 403 "-" <<<->>>

在第二个中,我可以看到一些信息,例如:

[Thu Feb 21 13:57:55.288418 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(359): [client xxx.xxx.xxx.xxx:56892] AH02034: Initial (No.1) HTTPS request received for child 5 (server XXX.XXX.XXX:443)
[Thu Feb 21 13:57:55.288591 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(743): [client xxx.xxx.xxx.xxx:56892] AH02255: Changed client verification type will force renegotiation
[Thu Feb 21 13:57:55.557866 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02221: Requesting connection re-negotiation
[Thu Feb 21 13:57:55.557902 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(970): [client xxx.xxx.xxx.xxx:56892] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Feb 21 13:57:55.557919 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.557932 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSL renegotiate ciphers
[Thu Feb 21 13:57:55.557948 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request A
[Thu Feb 21 13:57:55.557978 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.557986 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request C
[Thu Feb 21 13:57:55.557996 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02226: Awaiting re-negotiation handshake
[Thu Feb 21 13:57:55.558005 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.558016 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: before accept initialization
[Thu Feb 21 13:57:55.590106 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(2141): [client xxx.xxx.xxx.xxx:56892] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Thu Feb 21 13:57:55.590134 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 read client hello A
[Thu Feb 21 13:57:55.590146 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write server hello A
[Thu Feb 21 13:57:55.590177 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate A
[Thu Feb 21 13:57:55.590190 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate request A
[Thu Feb 21 13:57:55.590217 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.887495 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2001): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Read: SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887530 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2020): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Exit: failed in SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887538 2019] [ssl:error] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02261: Re-negotiation handshake failed
[Thu Feb 21 13:57:55.887567 2019] [ssl:error] [pid 99609] SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?
[Thu Feb 21 13:57:55.887578 2019] [core:trace3] [pid 99609] request.c(117): [client xxx.xxx.xxx.xxx:56892] auth phase 'check access (with Satisfy All)' gave status 403: /my/secret/path
[Thu Feb 21 13:57:55.887611 2019] [http:trace3] [pid 99609] http_filters.c(1003): [client xxx.xxx.xxx.xxx:56892] Response sent with status 403

但是没有真正有用的东西。

我要记录/写入apache正在读取但不接受的证书。我该如何登录?

1 个答案:

答案 0 :(得分:0)

您可以通过添加以下JVM命令行参数并重新启动Application Server,在Application Server JVM配置中启用SSL调试日志:

-Djavax.net.debug = all

根据您的WAS版本,通常通过导航至WAS管理控制台>服务器>应用程序服务器> YourServer>进程管理> Java虚拟机>通用JVM参数来添加上述参数

相关问题
最新问题