• 9

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I am in the following situation. I need to set up a 2-way integration with an external system. The admin of the external system required me to send two CSRs, one to be used to generate a client certificate, the other to generate a server certificate. They sent me the corresponding certificates. I set up the channel me->they with success (i.e.: I can invoke their service supplying my client certificate), but I can't set up the inverse channel correctly (i.e.: I can't make my Apache accept their client certificate without complaining).

Together with my server certificate (let's call it my-server.pem) they also sent me their own client certificate (let's call it their-client.pem). This certificate (their-client.pem) is emitted by a "self-signed" CA, that is a CA that is not among those well-known CAs already available in my Linux system. I don't have this certificate and I was not yet able to get it from the external system admins (they are reluctant... let's put aside any comment on this please... >-|)

This is how I set up my VirtualHost in Apache:

SSLEngine on
SSLCertificateFile /path/to/my-server.pem
SSLCertificateKeyFile /path/to/my-server-secret-key.key
SSLVerifyClient require
SSLCACertificateFile /path/to/their-client.pem
SSLVerifyDepth 0

Since I don't have the CA certificate and since it's perfectly fine for me to say "just trust that client certificate, nobody else!", I put the client certificate itself as the SSLCACertificateFile, as suggested in the answer to: https://security.stackexchange.com/questions/36069/use-client-certificate-using-self-signed-ca-while-using-web-certificate-of-a-pub

However, this seems not to work. The error they see on their side is:

javax.net.ssl.SSLException: Received fatal alert: unknown_ca

After enabling the SSL log and setting it to debug, what I see on my side is:

[ssl:debug] [pid 3396] ssl_engine_kernel.c(1381): [client <their-ip>:41474] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: CN=Test CA,OU=Foo,O=Bar,C=it / issuer: CN=Test CA,OU=Foo,O=Bar,C=it / serial: 1BFE / notbefore: Dec  6 15:22:45 2010 GMT / notafter: Dec  6 15:21:52 2020 GMT]
[ssl:info] [pid 3396] [client <their-IP>:41474] AH02276: Certificate Verification: Error (19): self signed certificate in certificate chain [subject: CN=Test CA,OU=Foo,O=Bar,C=it / issuer: CN=Test CA,OU=Foo,O=Bar,C=it / serial: 1BFE / notbefore: Dec  6 15:22:45 2010 GMT / notafter: Dec  6 15:21:52 2020 GMT]
[ssl:info] [pid 3396] [client <their-IP>:41474] AH02008: SSL library error 1 in handshake (server my-server.com:443)
[ssl:info] [pid 3396] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[ssl:info] [pid 3396] [client <their-IP>:41474] AH01998: Connection closed to child 54 with abortive shutdown (server my-server.com:443)

In other words, it's still trying to validate the dummy CA of the client certificate. I also tried to change SSLVerifyDepth to 1, with no luck (same error). If I disable the client certificate request (by changing SSLVerifyClient), the invocation goes fine, but I don't think it's the correct way to go.

Any suggestion on this topic would be very helpful.

    • Hmmm.. sorry, I used the same site where the question I linked was placed, since the subject seemed like similar to me. I will try with severfault, thank you.

Judging from the error, the application on their end is Java based. I could be wrong here, this is kind of my first rodeo. But could it be that on their end, they need to import their CA into their Java key store?

I remember setting up a trusted (secure) connection between a Java app (Atlassian Crowd) and a Novel LDAP server. The LDAP server was using a self-signed certificate as well. It would fail with a similar error. The answer there was to import the certificate into the Java key store.


  • 0
Reply Report
      • 2
    • Yes, they have a Java app, but they need to add their own CA (or directly my certificate) to their keystore to validate MY certificate, while here the problem is my side not validating THEIR certificate correctly. I assume their system is set up correctly because I can correctly invoke their service, so they are validating correctly MY certificate when I call them, so I assume they're correctly validating MY certificate when they are calling me as well.
      • 2
    • Yes, this probably will be better answered over on Server Fault. One way to go ahead might be to turn the things around for the them->me path. Ask them to send a CSR for a client certificate, which you then sign with your own Self Signed CA. Good luck!

Trending Tags