Weblog
21 September 2011, 09:06
A few days ago, Andrew posted a forum message about SSL client authentication not working in Hiawatha (the RequiredCA option). I tested it myself and it was indeed not working anymore. Andrew soon came up with a patch. Although the patch works for him, it did not for me. At least, not on my Ubuntu server.
SSL client authentication in Hiawatha still works fine on my MacBook Pro, even without Andrew's patch. My conclusion is that it somehow must have something to do with the OpenSSL version on my Ubuntu server, which is version 0.9.8g. On my MacBook Pro I have 0.9.8r.
I did some research, but I can't figure out what's going wrong on my server. Any OpenSSL guru out there willing to help me out on this issue?
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
Can you post a TCP dump of both client sessions and do you have a dummy site where we can test out the client auth? That SSL version 0.9.8g was released four years ago and it has multiple vulnerabilities and issues.
In Fortress Linux we use the latest version; 1.0.0e and we are happy to test it out.
Thank you for the PCAP files.
After analyzing the binary data, It seems that the initial handshake (step one in this picture: http://alturl.com/dcbb3) fails. The message has an invalid length.
You can support this 'invalid length' in Hiawatha, but the cause is a bug in OpenSSL and the TLS package for this verification method. But be aware; this fault can also be used to intercept
a SSL session.
My recommendation: upgrade these deprecated OpenSSL and TLS versions.
Take a look at this OpenSSL bug report from 2008:
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1673
I can't 100% be sure since I cannot test it out, but this report also describes how to test it with gnutls-cli and openssl.