• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication

flederwiesel

flederwiesel

New Pleskian
Server operating system version
Ubuntu 20.04.6 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.66.2
Hi folks,
I want to enable SSL Client authentication for a web directory using a SSLVerifyClient require directive in the directory's .htaccess. I am running Apache/2.4.62 OpenSSL/1.1.1f behind nginx/1.26.2, and the problem occurs no matter the user agent (let's take curl 8.9.1 OpenSSL/3.0.14 as a example). I checked the client certificates - issued by a custom CA, which is known by the system - and was able to successfully test using those on a local xampp server.

The complete message is

Code: 
AH10158: cannot perform post-handshake authentication
SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

I have been digging the net up and down, but did not find a solution so far. So posts suggest to disable TLSv1.3, which I don't think is a considerable solution, and only resulted in a different error:

Code: 
AH02034: Initial (No.1) HTTPS request received for child 0 (server fra-flugplan.de:443)
AH02255: Changed client verification type will force renegotiation
AH02256: Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support

So my questions are:
  • How would I enable client cert authentication for a single web directory?
  • Does post-handshake mean checking the client cert after the finished initial TLS handshake? How to work around this?
  • What is a Non-default virtual host?
  • Why does it complain about SNI, which is enabled and from my understanding works properly?
____

Server version:
Code: 
# apache2 -V
Server version: Apache/2.4.62 (Ubuntu)
Server built:   2024-07-22T12:36:32
Server's Module Magic Number: 20120211:134
Server loaded:  APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.34 2019-11-21
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.34 2019-11-21
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_PROC_PTHREAD_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Client Certificate:
Code: 
$ openssl x509 -noout -issuer -subject -purpose < getflights.pem
issuer=C = DE, O = flederwiesel, OU = Special Programming Forces, CN = fra-flugplan.de CA
subject=C = DE, L = Ludwigshafen, O = flederwiesel, OU = Special Programming Forces, CN = getflights
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Server certificate:
Code: 
$ openssl s_client -showcerts fra-flugplan.de:443 | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = fra-flugplan.de
verify return:1
issuer=C = US, O = Let's Encrypt, CN = R11
subject=CN = fra-flugplan.de
X509v3 Subject Alternative Name:
    DNS:*.fra-flugplan.de, DNS:fra-flugplan.de
 
You must log in or register to reply here.

Similar threads

defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
1K
defcon8
defcon8
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
2K
deepnpisgah
D
M
Resolved Help request: SSL certificate seems to have trust issues. How to resolve?
Replies
4
Views
2K
MHC_1
M
Endre
Issue Unable to access the remote backup storage using SFTP
Replies
6
Views
3K
Endre
Endre
C
Question Strange SNI (?) issue related to IPv6 (?)
Replies
2
Views
1K
Carbon Dioxide
C
Back
Top