Re: self-signed from bergi on 2011-04-13 (public-xg-webid@w3.org from April 2011)

From: bergi <bergi@axolotlfarm.org>
Date: Thu, 14 Apr 2011 01:33:18 +0200
To: Joerg Anders <jan@informatik.tu-chemnitz.de>
CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Joe Presbrey <presbrey@gmail.com>, nathan <nathan@webr3.org>
Message-ID: <4DA632BE.60402@axolotlfarm.org>
Am 13.04.2011 23:47, schrieb Henry Story:
> Joe Presbrey is certainly the right person to ask given that he has written 
> code at the Apache TLS level http://dig.csail.mit.edu/2009/mod_authn_webid/
> 
> On 13 Apr 2011, at 23:01, Nathan wrote:
> 
>> Joerg Anders wrote:
>>> On Wed, 13 Apr 2011, Joe Presbrey wrote:
>>>>
>>>> data.fm works with my WebID at http://presbrey.mit.edu/foaf#presbrey
>>>>
>>> Hmm, I get  ssl_error_certificate_unknown_alert
>>>> We openly welcome self-signed certs.
>>>>
>>>> I've just reconfirmed my cert with pubkey B2AB30... is self-signed.
>>>>
>>>> Would you mind sharing your WebID URL and X509 certificate?
>>>>
>>> You can test it with: http://foaf.me/Hans#me
>>> The PKCS12 File is at
>>>  http://vsr.informatik.tu-chemnitz.de/staff/jan/WEBID/webid.xhtml
>>> (ignore the German text, download only HannesElmert.p12)
>>> The password for importing into Firefox is
>>>      HansElmert
>>> BTW: It works on https://bblfish.net:8443/test/WebId
>>
>> Joe, Joerg,
>>
>> If it helps any, I can confirm that the error isn't in the WebID implementation, it's apache sending back the error message, you can see it duplicated on: https://a.open.gs/ which does /not/ have any WebID implementation, it only has apache configured to request the certificate.
> 
> I wonder if there are X509 specialists who can tell if there is something that is problematic with Hans' certificate
> 

Seems like there is a critical extension which can't be handled by the
apache server (openssl). Here the apache log:

[Thu Apr 14 00:53:49 2011] [error] [client 127.0.0.1] Certificate
Verification: Error (34): unhandled critical extension
[Thu Apr 14 00:53:49 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSLv3 read client certificate B
[Thu Apr 14 00:53:49 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Thu Apr 14 00:53:49 2011] [error] [client 127.0.0.1] Re-negotiation
handshake failed: Not accepted by client!?

How was the certificate created? Could you remove the critical flag from
the extensions step by step until it's working?

> $ openssl pkcs12 -clcerts -nokeys -in Desktop/HannesElmert.p12 | openssl x509 -noout -text
> Enter Import Password:
> MAC verified OK
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 2483388820 (0x94058194)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=US, ST=DC, L=Washington, O=Self-Signed, OU=Institut/UID=Hans, CN=Hans Elmert
>         Validity
>             Not Before: Apr  5 13:42:38 2011 GMT
>             Not After : Apr  5 13:42:38 2014 GMT
>         Subject: C=US, ST=DC, L=Washington, O=Self-Signed, OU=Institut/UID=Hans, CN=Hans Elmert
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (1024 bit)
>                 Modulus:
>                     00:db:88:8e:1a:5d:78:f4:b2:f5:22:a3:dc:2c:a4:
>                     4b:57:83:d2:f5:e7:57:c0:8e:52:48:cb:cf:3a:2a:
>                     c4:6b:93:42:dd:fc:b3:30:ac:32:9f:0e:61:24:c4:
>                     d3:7a:1a:32:9e:c8:82:0c:6c:13:df:30:58:2d:2e:
>                     d3:a6:0f:37:91:50:9c:72:5e:6c:d7:f6:71:3d:22:
>                     ce:5e:da:92:b6:c2:fe:3d:34:18:db:6d:60:96:49:
>                     57:ab:8b:f3:7d:e2:fb:62:a7:4e:3d:67:6b:95:f2:
>                     db:e5:2b:c7:e3:16:05:e2:4a:3d:b0:93:bb:e9:04:
>                     59:4d:a9:f8:86:7c:34:42:7d
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             Netscape Cert Type: critical
>                 SSL Client, S/MIME, Object Signing
>             X509v3 Subject Alternative Name: critical
>                 email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me
>             X509v3 Subject Key Identifier: critical
>                 58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47
>             X509v3 Extended Key Usage: critical
>                 TLS Web Client Authentication, Code Signing, E-mail Protection
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>     Signature Algorithm: sha1WithRSAEncryption
>         9e:18:18:7b:bf:24:de:17:12:85:69:cf:ab:ac:a7:ab:9d:59:
>         75:e4:41:26:22:76:81:fd:02:48:56:5e:62:0b:50:94:93:bc:
>         19:40:3c:63:bd:89:43:fc:35:3a:6a:7f:a6:db:23:1f:15:eb:
>         63:87:02:c1:80:96:0f:85:13:12:f8:c4:d6:e7:58:cb:2f:b9:
>         58:37:f9:08:29:7c:a7:51:87:dd:59:e3:1b:ab:ff:e8:9e:61:
>         5f:27:e9:ea:5a:e2:df:69:43:2b:1c:a9:2a:83:6c:d7:bc:bb:
>         20:b1:f6:9d:c6:b1:e0:07:95:29:bb:c6:f7:a8:1c:57:5d:33:
>         d1:92
> 
> 
> 
> 
> 
>>
>> Best,
>>
>> Nathan
>>
>>
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
>
Received on Wednesday, 13 April 2011 23:34:14 UTC