Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication

[flederwiesel]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.66.2

Hi folks,
I want to enable SSL Client authentication for a web directory using a SSLVerifyClient require directive in the directory's .htaccess. I am running Apache/2.4.62 OpenSSL/1.1.1f behind nginx/1.26.2, and the problem occurs no matter the user agent (let's take curl 8.9.1 OpenSSL/3.0.14 as a example). I checked the client certificates - issued by a custom CA, which is known by the system - and was able to successfully test using those on a local xampp server.

The complete message is

AH10158: cannot perform post-handshake authentication
SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

I have been digging the net up and down, but did not find a solution so far. So posts suggest to disable TLSv1.3, which I don't think is a considerable solution, and only resulted in a different error:

AH02034: Initial (No.1) HTTPS request received for child 0 (server fra-flugplan.de:443)
AH02255: Changed client verification type will force renegotiation
AH02256: Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support

So my questions are:

• How would I enable client cert authentication for a single web directory?
• Does post-handshake mean checking the client cert after the finished initial TLS handshake? How to work around this?
• What is a Non-default virtual host?
• Why does it complain about SNI, which is enabled and from my understanding works properly?

____

Server version:

# apache2 -V
Server version: Apache/2.4.62 (Ubuntu)
Server built:   2024-07-22T12:36:32
Server's Module Magic Number: 20120211:134
Server loaded:  APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.34 2019-11-21
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.34 2019-11-21
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_PROC_PTHREAD_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Client Certificate:

$ openssl x509 -noout -issuer -subject -purpose < getflights.pem
issuer=C = DE, O = flederwiesel, OU = Special Programming Forces, CN = fra-flugplan.de CA
subject=C = DE, L = Ludwigshafen, O = flederwiesel, OU = Special Programming Forces, CN = getflights
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Server certificate:

$ openssl s_client -showcerts fra-flugplan.de:443 | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = fra-flugplan.de
verify return:1
issuer=C = US, O = Let's Encrypt, CN = R11
subject=CN = fra-flugplan.de
X509v3 Subject Alternative Name:
    DNS:*.fra-flugplan.de, DNS:fra-flugplan.de