Client certificate authentication sslv3 alert handshake failure when Location directive is set

apache-2.2mod-sslphusion-passenger

I am trying to setup Client Certificate Authentication for a web service that is running on Rails. The service is running on apache2, passenger, and mod_ssl. I have been able to successfully generate the keys and setup the Client Certificate authentication for the entire domain. This works fine, however, when I try to include the Location directive I always get this error (from browsers and ruby client):

SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError).

When I run the command from curl I get this error:

curl: (52) Empty reply from server

I remove the directive and it works fine. This what my confiration for this virtual host looks like. 

 <VirtualHost *:443 *:80>
    ServerName wrangler.optimis.local
    DocumentRoot "/Users/jmoore/Sites/data-wrangler/public/"
    RackEnv development
    ErrorLog "/Users/jmoore/Sites/data-wrangler/log/error.log"
    CustomLog "/Users/jmoore/Sites/data-wrangler/log/access.log" common
    SetEnv GEM_HOME /Users/jmoore/.rvm/gems/ree-1.8.7-2010.02
    SetEnv GEM_PATH /Users/jmoore/.rvm/gems/ree-1.8.7-2010.02

# Enable SSL on this domain
SSLEngine on
SSLProtocol ALL
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl.key/new/wrangler_servercert.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/new/wrangler_server.nopass.key

# Enable SSL client certificates, but disable verification for the entire domain (we only want it on specific URLs)
#SSLCACertificatePath /etc/apache2/ssl.key/new/demoCA
SSLCACertificateFile /etc/apache2/ssl.key/new/demoCA/cacert.pem
#SSLCertificateChainFile /etc/apache2/ssl.key/new/demoCA/cacert.pem
#SSLVerifyClient require
SSLVerifyClient none
#SSLVerifyDepth 1

<Location /test>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

 </VirtualHost>

My research has indicated that this is usually caused by bad certificates so I have regenerated the certificates several times and each time it works fine for the entire domain but gives the handshake error when I try to limit to just one location. Since these configurations are suggested by the apache documentation I am not sure what is going wrong. Does anybody know how to resolve the handshake problem that happens when you try to limit the client authentication to one location?

Best Answer

Does your server support the TLS renegotiation extension (RFC 5746)? Does it have a version of OpenSSL that blocks renegotiation altogether (which was the interim fix for CVE-2009-3555)?

If SSLVerifyClient is limited to a Location, this entails a second handshake to renegotiate the client-certificate. This is where the security issue in SSL/TLS (CVE-2009-3555) was happening and what RFC 5746 fixes (provided the client supports it too).

More information on the versions in this StackOverflow answer.

Related Topic