0

I'm having a problem when trying to enable SSLVerifyClient, so users can access using a cert installed on their browser.

I have created the CA, the certs, the keys and everything. On my Apache conf, I have this:

<VirtualHost *:443>
    DocumentRoot "C:\xampp\htdocs\web.es"
    ServerName web.es
    ServerAlias web.es
    SSLEngine on 
    SSLCertificateFile "conf/ssl.crt/cert.crt" 
    SSLCertificateKeyFile "conf/ssl.key/private.key"
    SSLCACertificateFile "conf/ssl.crt/ca.crt"
    #SSLProtocol -all +TLSv1.2
    <LocationMatch ^/cert_test$>
        SSLVerifyClient require
        SSLVerifyDepth 10
        SSLOptions +StdEnvVars
    </LocationMatch>
</VirtualHost>

I have the "LocationMatch" because I just want the cert stuff just there.

Logs here:

[Wed Jan 13 12:25:18.705565 2021] [ssl:error] [pid 10148:tid 1832] [client 127.0.0.1:50913] AH10158: cannot perform post-handshake authentication

[Wed Jan 13 12:25:18.705565 2021] [ssl:error] [pid 10148:tid 1832] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

The thing is, I've been searching for days now and today I just found the problem was TLS 1.3. If I uncomment the line SSLProtocol -all +TLSv1.2 (wich must be outside the LocationMatch or Apache won't even start, I've tested it), Apache will use TLS 1.2, and then everything works fine. The browser ask for the certificate and, selecting the one that works, I'm allowed to the page. If I use TLS 1.3 (the default option), I always obtain a "Forbidden. You don't have permission to access this resource.Reason: Cannot perform Post-Handshake Authentication".

I've been searching for hours and I can't find a solution for this. The only thing I've found is, in Firefox, about:config, enabling security.tls.enable_post_handshake_auth. For Chromium-based browsers the result is the same, but I couldn't find "deeper-conf" solution like in Firefox. Anyway, that would not be a solution.

Versions are here: Apache/2.4.46 (Win64) - OpenSSL/1.1.1g - PHP/7.4.10 - Port 443

Is there a problem with my configuration or it is problem with TLS?

Thank you.

EDIT: as @Steffen Ullrich says in comments below, this is not supported yet into browsers (in Firefox does but just enabling in about:config an option, wich is not user-friendly and not an option, at least not for me). If someone have the same problem than me, at day 14/01/2021 there is no way.

Peter
  • 1
  • 1
  • Post your error logs onto your question to help us to better understand the root cause of this problem. It should be located inside the logs directory inside of the apache2/httpd directory, since you are using Apache on windows. Try to scan your site using [SSL Labs](https://www.ssllabs.com/ssltest/) later, if it is on the internet. You might also identify vulnerabilities. – Example person Jan 13 '21 at 13:01
  • Hi, @Chi.C.J.RajeevaLochana thanks for remind me that. I've updated the post. – Peter Jan 13 '21 at 14:59
  • did you try using chromium? Does the same error happen with it? Let me know. I found https://stackoverflow.com/questions/53062504/apache-2-4-37-with-openssl-1-1-1-cannot-perform-post-handshake-authentication, but I am not sure if that addresses your question. – Example person Jan 13 '21 at 15:13
  • Yes, in Chromium-based same thing happens. I will check the link you posted. Thank you. – Peter Jan 13 '21 at 15:35
  • Update: the solution in the link didn't work. – Peter Jan 13 '21 at 15:42
  • You did nothing wrong. Post handshake authentication in TLS 1.3 is not implemented in Chrome and only available behind a flag in Firefox. – Steffen Ullrich Jan 13 '21 at 15:55
  • @SteffenUllrich damn LOL – Example person Jan 13 '21 at 17:25
  • @SteffenUllrich Thanks for telling me. At least I know it's nothing wrong with what I have done. Thank you very much. – Peter Jan 14 '21 at 07:59

0 Answers0