Mailing List Archive

On Thu, Apr 18, 2024 at 3:22?AM Daiya, Devendra singh
<Devendra.S.Daiya@wellsfargo.com.invalid> wrote:

> Hi Team,
>
>
>
> Need help in setting up MTLS between Apache HTTP server and Weblogic
> server (App Server).
>
>
>
> I have gone through few links but those are not working. Post following
> suggested steps I was able to start Apache HTTP server but Application is
> not working. Getting below messages in the Error while accessing the
> application.
>
>
>
> *Could anyone please look at it and share some suggestion on how we should
> setup MTLS b/w Web and App server. Please let me know if any additional
> info needed.*
>
>
>
> *Error message: -*
>
>
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : },
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
> "message" : "AH01998: Connection closed to child 138 with abortive
> shutdown (server hostname:port , "referer" : }
>
> "message" : "AH01964: Connection to child 24 established (server
> hostname:port)" , "referer" : }
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : }
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
>
>
> *SSL.conf file has below directives set.*
>
>
>
> SSLEngine on
>
> ProxyRequests Off
>
> RewriteEngine on
>
> SSLProxyEngine on
>
> SSLProxyVerify on
>
> SSLProxyCheckPeerCN off
>
> SSLProxyCheckPeerName off
>
> SSLProxyCheckPeerExpire off
>
> SSLVerifyCLient require
>
> SSLVerifyDepth 10
>
> SSLProxyVerifyDepth 10
>
>
>
> SSLOptions +ExportCertData
>
>
>
> SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"
>
> SSLProxyCACertificateFile "/apps/certs/trustedca.pem"
>
>
>
> SSLCertificateFile "/path/to/hostname.crt"
>
> SSLCertificateKeyFile "/path/to/hostname.key"
>
> SSLCertificateChainFile "/path/to/hostname.crt"
>
> SSLCACertificateFile "/path/to/trustedca.pem"
>
>
>
>
>
> Thanks.
>
>
>
> *Regards,*
>
> *Devendra*
>

Rough guess:

http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have
misconfigured / overlapping vhosts, as well.

Hi Frank,

My vhost looks as below. Anything incorrect set? I do have proxy.conf file but nothing related to SSL set in there. I will test apachectl -S and share you the result.

<VirtualHost _default_:PORT>

SSLEngine on
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyVerify on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLVerifyCLient require
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLOptions +ExportCertData
SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem"
SSLProxyCACertificateFile "/path/to/certs/trustedca.pem"
SSLCertificateFile "/path/to/hostname.crt"
SSLCertificateKeyFile "/path/to/hostname.key"
SSLCertificateChainFile "/path/to/hostname.crt"
SSLCACertificateFile "/path/to/trustedca.pem"


SSLProtocol -All +TLSv1.2 +TLSv1.1

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>

Regards,
Devendra


From: Frank Gingras <thumbs@apache.org>
Sent: Thursday, April 18, 2024 7:19 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

On Thu, Apr 18, 2024 at 3:?22 AM Daiya, Devendra singh <Devendra.?S.?Daiya@?wellsfargo.?com.?invalid> wrote: Hi Team, Need help in setting up MTLS between Apache HTTP server and Weblogic server (App Server). I have gone through few links but



On Thu, Apr 18, 2024 at 3:22?AM Daiya, Devendra singh <Devendra.S.Daiya@wellsfargo.com.invalid<mailto:Devendra.S.Daiya@wellsfargo.com.invalid>> wrote:
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server (App Server).

I have gone through few links but those are not working. Post following suggested steps I was able to start Apache HTTP server but Application is not working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown (server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Rough guess:

http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost<https://urldefense.com/v3/__http:/httpd.apache.org/docs/current/mod/mod_proxy.html*proxypreservehost__;Iw!!F9svGWnIaVPGSwU!sVWv6DLdgjadPqzGD4Ud11pz4_vSBNt67dxHJCeLMZjSt_GUyGv62vgN_DRp6iHDNgIf9-q7_VVeyVaKME94UHFD$>

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have misconfigured / overlapping vhosts, as well.

On Mon, Apr 22, 2024 at 3:51?PM Daiya, Devendra singh
<Devendra.S.Daiya@wellsfargo.com.invalid> wrote:
>
> SSLVerifyCLient require
> SSLVerifyDepth 10

These directives apply to the client/browser connection, so you are
effectively enabling mtls on the client side too, hence the error
messages ("AH02008: SSL library error 1 in handshake (server
hostname:port)" and "SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a
certificate") if the client isn't providing a certificate.

You should probably remove them if you only want mtls with the backend server.


Regards;
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org