I applied the POODLE fix for Apache via "SSLProtocol All -SSLv2 -SSLv3" in the ssl.conf file for our Apache server but am having issues with the CAC Client authentication via "SSLVerifyClient require". I have confirmed if I set "SSLVerifyClient none" our web application can be accessed via HTTPS and uses the correct protocol of TLSv1 but once I set "SSLVerifyClient require" (which is needed because our Web Application is CAC enabled) I get a page cannot be displayed in IE (IE has SSLv2 and SSLv3 disabled but TLS1.0-3 enabled).
The client is Windows 7 32 bit with IE 8. Server is Windows 2003 SP2.
I have done a packet capture between the client and server. The first client hello is for TLSv1.2 a Fatal Error Close Notify is then sent. since it my server does not support TLSv1.1 or TLSv1.2 then a Client Hello is sent for TLSv1. The process goes all the way up to Client Certificate request Server Hello Done then another Fatal Error Close Notify is sent by the client..
Screen Cap here: http://i.imgur.com/y3GvjlP.jpg
Here are the Full TCP streams:
The First stream a client hello is sent and tries to negotiate TLSv1.2 the server rejects as it doesn't support and sends a close notify. The Second stream sends a client hello over TLSv1.0 is send etc.. But this is from one single connection to the web server..
1st stream: i.imgur.com/pmiXn9t.jpg
2nd stream: i.imgur.com/NIh1lsZ.jpg
The connection is at TLSv1 as I have verified from https://www.ssllabs.com/ssltest/. The server even agrees on a TLS cipher..
Chrome does work fine even with SSLv2 and SSLv3 disabled via "chrome.exe --ssl-version-min=tls1"
Also this version of Apache uses mod_ossl "The mod_ossl module enables strong cryptography for Oracle HTTP Server. This Oracle module is a plug-in to Oracle HTTP Server that enables the server to use SSL. It is very similar to the OpenSSL module, mod_ssl. The mod_ossl module is based on the Oracle implementation of SSL, which supports SSL version 3 and TLS version 1, and is based on Certicom and RSA Security technology." I dont know how to upgrade this to support TLS v1.1 and TLS v1.2 as I am on the latest OHS 11g release from Oracle and this is a custom module made by Oracle..
UPDATE:
I have enabled debug log level on the OHS Apache logs. I now receive the following errors when using IE to try an access the web application:
[Mon Nov 10 08:16:05 2014] [error] [client X.X.X.X] OHS:2079 nzos handshake error, nzos_Handshake returned 28858(server X.X.X.X:443, client X.X.X.X)
[Mon Nov 10 08:16:05 2014] [error] OHS:2171 NZ Library Error: SSL protocol error [Hint: the client probably speaks HTTPS over HTTP protocol]
[Mon Nov 10 08:16:05 2014] [info] [client X.X.X.X] OHS:2073 Connection to child 107 closed with standard shutdown(server X.X.X.X:443, client X.X.X.X)
[Mon Nov 10 08:16:05 2014] [info] [client X.X.X.X] Connection to child 107 established (server X.X.X.X:443)
[Mon Nov 10 08:16:06 2014] [info] [client X.X.X.X] OHS:2079 nzos handshake error, nzos_Handshake returned 28864(server X.X.X.X:443, client X.X.X.X)
[Mon Nov 10 08:16:06 2014] [info] OHS:2171 NZ Library Error: SSL IO error [Hint: the client stop the connection unexpectedly]
[Mon Nov 10 08:16:06 2014] [info] [client X.X.X.X] OHS:2073 Connection to child 107 closed with standard shutdown(server X.X.X.X:443, client X.X.X.X)
Anyone know how to fix this on Oracle HTTP Server (OHS) Apache 2.2.22.0??
Here is a snippet of my ssl.conf file:
###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf #
###################################################################
# OHS Listen Port
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex "none"
SSLMutex pthread
##
## SSL Virtual Host Context
##
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
DirectoryIndex remagnum.html
ServerName TTSDS09083.TIMPO.OSD.MIL
# ServerAlias www.dummy-host.example.com
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
#SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSuite ALL:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3
SSLProtocol All -SSLv2 -SSLv3
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
#SSLVerifyClient none
SSLVerifyClient require
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
SSLOptions +StdEnvVars +ExportCertData
SSLOptions +StdEnvVars +ExportCertData
No comments:
Post a Comment