Problem with SHA2 Client Authentication in Apache

Support for security such as Firewalls and securing linux
Posts: 1
Joined: 2012/03/05 20:34:09

Problem with SHA2 Client Authentication in Apache

Postby fcreid » 2012/03/05 20:47:47

I'm unsure whether this is an Apache, OpenSSL or Windows client issue, but I'm having trouble authenticating SHA-256 Smartcard logins to my Centos 5 Apache server from Windows Internet Explorer and Chrome clients. Firefox (all tested versions) works fine, which I guess makes sense given that it has its own security modules.

# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

# apachectl -v
Server version: Apache/2.2.8 (Unix)
Server built: Sep 15 2008 20:16:50

# uname -a
Linux 2.6.18-274.18.1.el5xen #1 SMP Thu Feb 9 14:05:09 EST 2012 i686 i686 i386 GNU/Linux

Has anyone else experienced this issue? I know Microsoft is dealing with SHA2 issues ( ... ndows.aspx), and I'm wondering whether the underlying issue (mutual TLS requiring strict revocation checks) isn't at the core. This only started when I migrated to a 2048-byte certificate on the server side about six months ago. Is there some special SSLCipherSuite change in ssl.conf that is required to support this?

Any help appreciated.


Forgot to mention, the only thing logged is to ssl_error_log and is:

[error] Certificate Verification: Error (20): unable to get local issuer certificate