考え方†
- mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み
- mvc のログイン認証は local IP ゾーン(VPN 接続を含む)は認証なし、その他は One Time パスワード認証を要求
- これに加えクライアント認証を導入し、認証済クライアントはパスワード無しで接続できるようにしたい
- 発行済のサーバー証明書からクライアント証明書を発行する方法が無い(CoMoDo には別にクライアント認証オプションあり)
- 一方でオレオレ認証ベースでのクライアント証明書を発行する事例は多数参考記事がある
- (方針)クライアント証明書については、公式サーバー証明書とは別にオレオレ認証局で作り Apache2 に組み込んで動作確認する
- この考え方(=サーバー証明書とクライアント証明書は別の認証局を使う)で正しいことを CyberTrust に確認した。
再挑戦 2020-10 (/etc/ssl/officialCL で作業)†
まずクライアント証明書を発行するためのプライベート認証局を作成†
- この ページの手順に従って自己認証局を作成
- クライアント証明書を発行するための自己認証局設定ファイル(openssl-ca.cnf)を準備する
- /etc/ssl/openssl.cnf をコピーしてリネーム
openssl-ca.cnf
munakata@mvc:/etc/ssl/officialCL$ diff openssl-ca.cnf ../openssl.cnf
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
183d182
< nsCertType = sslCA, emailCA
190d188
< keyUsage = cRLSign, keyCertSign
218d215
< keyUsage = cRLSign, keyCertSign
- 自己認証局の秘密鍵 (ca.key) の作成
- パスフレーズ = magumaguking (サーバー証明書発行とは別にする)
munakata@mvc:/etc/ssl/officialCL$ sudo openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
..............................................................................................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key: <-------------- magumaguking
Verifying - Enter pass phrase for ca.key: <--- magumaguking
- 自己認証局の証明書(ca.crt)の作成
- CN = kgb.hmuna.com <----- サーバー名を設定
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -x509 -days 3650 -sha256 -key ./ca.key -out ./ca.crt -config openssl-ca.cnf
Enter pass phrase for ./ca.key: <--------- magumaguking
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
Email Address []:admin@hmuna.com
作成した自己認証局を使ってクライアント証明書を作成†
- この ページの手順に従ってクライアント証明書を発行
- クライアント証明書を発行するための設定ファイル(openssl-client.cnf)を準備する
- /etc/ssl/openssl.cnf をコピーしてリネーム
- openssl-client.cnf
munakata@mvc:/etc/ssl/officialCL$ diff openssl-client.cnf ../openssl.cnf
42c42
< dir = ./ # Where everything is kept
---
> dir = ./demoCA # Where everything is kept
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
185c185
< nsCertType = client, email, objsign
---
> # nsCertType = client, email, objsign
- クライアント証明書用の CSR(= Certificate Signing Request)の発行
- パスフレーズ = magumagu77mocha <----- 数字か特殊文字が入っていた方が良い(インポート時にワーニングが出ない)
- CN = kgb.hmuna.com
- CN 以外の項目も全て上記で作成した自己認証局と合わせる必要がある
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -config openssl-client.cnf -sha256 -keyout cl.key -out cl.csr
Generating a RSA private key
......................+++++
............................................+++++
writing new private key to 'cl.key'
Enter PEM pass phrase: <------------ magumagu77mocha
Verifying - Enter PEM pass phrase: <------- magumagu77mocha
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- クライアント証明書の発行 (上記のプライベート認証局でサイン)
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -md sha256 -cert ca.crt -keyfile ca.key -out cl.crt -infiles
cl.csr
Using configuration from openssl-client.cnf
Enter pass phrase for ca.key: <------------ magumaguking
Can't open .//index.txt.attr for reading, No such file or directory
140102186156480:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//index.txt.attr','r')
140102186156480:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 6 00:57:10 2020 GMT
Not After : Oct 4 00:57:10 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9C:5E:85:CB:11:BC:4E:97:D2:C7:9F:59:48:35:D9:FD:FA:24:25:DF
X509v3 Authority Key Identifier:
keyid:16:DE:FF:BE:3D:C1:27:74:5D:A7:6F:EA:C0:22:F7:AE:ED:AE:4C:36
Certificate is to be certified until Oct 4 00:57:10 2030 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 端末にインストールするためのクライアント証明書を作成
自己認証局、クライアント証明書 の作成が終わった時点のファイル配置†
munakata@mvc:/etc/ssl/officialCL$ tree ./
./
├── ca.crt <--------------- 自己認証局の証明書
├── ca.key <--------------- 自己認証局の秘密鍵
├── cl.crt <--------------- クラアイントの証明書
├── cl.csr <--------------- クラアイント証明書の署名リクエスト
├── cl.key <--------------- クラアイント証明書の秘密鍵
├── hmuna.p12 <------------ クラアイント証明書 インストールファイル(pkcs12 形式)
├── index.txt <------------ クラアイント証明書
├── index.txt.attr <-------- クラアイント証明書
├── index.txt.old
├── newcerts
│ └── 1000.pem <--------- クラアイント証明書
├── openssl-ca.cnf <-------- 自己認証局 設定ファイル
├── openssl-client.cnf <---- クラアイント証明書 設定ファイル
├── serial <--------------- クラアイント証明書 シリアル番号
└── serial.old
1 directory, 14 files
クライアント証明書の検証†
munakata@mvc:/etc/ssl/officialCL$ openssl verify -CAfile ca.crt cl.crt
cl.crt: OK
配布用クライアント証明書†
クライアント認証が成功していない†
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2317): [client 118.238.235.109:45972] AH02043: SSL virtual host for servername kgb.hmuna.com found
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress= admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 312659A92A5631A0D280F0F3E5B433BE2E99DBDF / notbefore : Oct 5 01:11:02 2020 GMT / notafter: Oct 3 01:11:02 2030 GMT]
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna .com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 6 00:57:10 2020 GMT / notafter: Oct 4 0 0:57:10 2030 GMT]
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x5e -> subcache 30)
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0 /1221
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2233): [client 118.238.235.109:45972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM -SHA384 (256/256 bits)
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 172.0.0.1 : denied
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 192.168.1 : denied
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require not env force_drop: neutral
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[ssl:debug] [pid 6473] ssl_engine_io.c(1106): [client 118.238.235.109:45972] AH02001: Connection closed to child 0 with standard shutdown (server kgb.hmuna.com:443)
クライアント証明書の検証 ----> 失敗†
- 認証局で発行した CRL(=失効リスト)を使った検証を試みたが
- そもそも CRL の作成でエラーになる
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -gencrl -out ca.crl
Using configuration from openssl-client.cnf
Can't open .//private/cakey.pem for reading, No such file or directory
140016686395840:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//private/cakey.pem','r')
140016686395840:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load CA private key
- このエラーの一部 (=Can't open .//private/cakey.pem) は クライアント証明書の作成時にも出ていたもの
- opessl-client.cnf の内容の見直し、認証局の作成からやり直すべきだな
やり直し†
元になる openssl.cnf 雛形の確認†
munakata@mvc:/etc/ssl/officialCL$ sudo find / -name openssl.cnf -print
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
/snap/core/9804/etc/ssl/openssl.cnf
/snap/core/9804/usr/lib/ssl/openssl.cnf
/snap/core/9993/etc/ssl/openssl.cnf
/snap/core/9993/usr/lib/ssl/openssl.cnf
/snap/core18/1880/etc/ssl/openssl.cnf
/snap/core18/1880/usr/lib/ssl/openssl.cnf
/snap/core18/1885/etc/ssl/openssl.cnf
/snap/core18/1885/usr/lib/ssl/openssl.cnf
munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf
munakata@mvc: (空白 = 差分なし)
作業ディレクトリー = /etc/ssl/unoffical_for_CL とする†
自己認証局の再作成†
- 設定ファイルの編集
- /etc/ssl/openssl.cnf をコピーして openssl-privateCA.cnf にリネーム
- openssl-privateCA.cnf の編集(3箇所)
- 作業ディレクトリー下に demoCA ディレクトリーを作成(openssl.cnf に合わせる)
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA
- 作業経過
munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-privateCA.cnf ../openssl.cnf
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
177d176
< nsCertType = sslCA,emailCA
190d188
< keyUsage = cRLSign,keyCertSign
- 自己認証局の秘密鍵 (private_ca.key) を作成
- パスフレーズは magumaguking
- genrsa は -config の指定を受け付けないので参考手順から削除
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl genrsa -des3 -out ./private_ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
...............+++++
e is 65537 (0x010001)
Enter pass phrase for ./private_ca.key: <-------------------- magumaguking
Verifying - Enter pass phrase for ./private_ca.key:
- 自己認証局の証明書 (privateCA.crt) を作成
- sudo の単純実行ではエラーになるので sudo sh -c "コマンド" 形式で実行 する(変更点)
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl req -new -x509 -days 3650 -sha256 -key ./private_ca.key -out ./private_ca.crt -config openssl-privateCA.cnf"
Enter pass phrase for ./private_ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
Email Address []:admin@hmuna.com
クライアント証明書の作成†
- 設定ファイルの編集
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../openssl.cnf openssl-client.cnf
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl-client.cnf
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../openssl.cnf ./openssl-client.cnf
73c73
< default_days = 365 # how long to certify for
---
> default_days = 3650 # how long to certify for
185c185
< # nsCertType = client, email, objsign
---
> nsCertType = client, email, objsign
- demoCA の下にサブディレクトリを作成
- openssl-client.cnf の中で指定されているサブディレクトリを作成(しないとエラーになるので)
- 定義されているサブディレクトリー
munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir openssl-client.cnf
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
serial = $dir/tsaserial # The current serial number (mandatory)
signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
- サブディレクトリーの作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/certs
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/crl
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/newcerts
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/private
munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/
合計 24
drwxr-xr-x 6 root root 4096 10月 8 13:26 .
drwxr-xr-x 3 root root 4096 10月 8 13:08 ..
drwxr-xr-x 2 root root 4096 10月 8 13:25 certs
drwxr-xr-x 2 root root 4096 10月 8 13:25 crl
drwxr-xr-x 2 root root 4096 10月 8 13:26 newcerts
drwxr-xr-x 2 root root 4096 10月 8 13:26 private
- クラアイント証明書の csr (署名リクエスト) 作成
- パスフレーズは magu77mocha に変更(短縮)した
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl req -new -config ./openssl-client.cnf -sha256 -keyout client.key -out client.csr
Generating a RSA private key
..........................+++++
....................................+++++
writing new private key to 'client.key'
Enter PEM pass phrase: <----------- magu77mocha
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 認証局に署名をもらいクライアント証明書を作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl ca -config ./openssl-client.cnf -md sha256 -cert ./private_ca.crt -keyfile ./private_ca.key -out client.crt -infiles client.csr"
Using configuration from ./openssl-client.cnf
Enter pass phrase for ./private_ca.key: <---------- magumaguking
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 8 04:31:24 2020 GMT
Not After : Oct 6 04:31:24 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2E:A4:54:78:BC:ED:0A
X509v3 Authority Key Identifier:
keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F6:A6:8B:F0:53:B8:E8:C3:C2
Certificate is to be certified until Oct 6 04:31:24 2030 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 端末にインストールするための pkcs12 形式のクライアント証明書を作成
作業完了時点のファイルの配置†
munakata@mvc:/etc/ssl/unofficial_for_CL$ tree
.
├── client.crt <-------- クライアント証明書の証明書
├── client.csr <-------- クラアイント証明書の署名リクエスト
├── client.key <-------- クラアイント証明書の秘密鍵
├── demoCA
│ ├── certs
│ ├── crl
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── newcerts
│ │ └── 1000.pem
│ ├── private
│ ├── serial
│ └── serial.old
├── hmuna_kgb.p12 <--------- クライアント証明書配布ファイル
├── openssl-client.cnf <----- openssl 設定ファイル(自己認証局)
├── openssl-privateCA.cnf <--- openssl 設定ファイル(クライアント証明書)
├── private_ca.crt <-------- 自己認証局の証明書
└── private_ca.key <-------- 自己認証局の秘密鍵
5 directories, 15 files
配布用クライアント証明書†
それでもクライアント証明書によるログインが出来ない。 が、状況は変化しているかも†
- 証明書自体は正しく評価され leaving socache_shmcb_store successfully となっている
- しかし require valid-user 条件が満たせずログインパスワードを要求してきているようだ
- クライアント証明書で認証する条件をどう書く?
- debug_20201008_001.txt
1: [pid 29512] [client 118.238.235.109:59972] AH01964: Connection to child 3 established (server kgb.hmuna.com:443)
2: [pid 29514] [client 118.238.235.109:59970] AH01964: Connection to child 2 established (server kgb.hmuna.com:443)
3: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found
4: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
5: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found
6: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
7: [core:debug] [pid 29514] protocol.c(2257): [client 118.238.235.109:59970] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com
8: [core:debug] [pid 29512] protocol.c(2257): [client 118.238.235.109:59972] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com
9: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
10:[ssl:debug] [pid 29512] ssl_engine_kernel.c(383): [client 118.238.235.109:59972] AH02034: Initial (No.1) HTTPS request received for child 3 (server kgb.hmuna.com:443)
11:[ssl:debug] [pid 29514] ssl_engine_kernel.c(2233): [client 118.238.235.109:59970] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
12:[ssl:debug] [pid 29512] ssl_engine_kernel.c(746): [client 118.238.235.109:59972] AH02255: Changed client verification type will force renegotiation
13:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02221: Requesting connection re-negotiation
14:[ssl:debug] [pid 29512] ssl_engine_kernel.c(977): [client 118.238.235.109:59972] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
15:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
16:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02226: Awaiting re-negotiation handshake
17:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
18:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct 8 03:27:31 2020 GMT / notafter: Oct 6 03:27:31 2030 GMT]
19:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 8 04:31:24 2020 GMT / notafter: Oct 6 04:31:24 2030 GMT]
20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x7b -> subcache 27)
21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1221
23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(516): AH00834: &color(red){leaving socache_shmcb_store successfully};
24:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
25:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 172.0.0.1: denied
26:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 192.168.1: denied
27:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require not env force_drop: neutral
28:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
29:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
その他†
JCAN 証明書(商用クライアント証明書)†
参考 URL†
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
