--- tags: nta --- # JBCS mTLS 設定 ### JBCS ssl debug log ``` [Thu Feb 02 11:21:31.837370 2023] [ssl:info] [pid 5184:tid 13180] [client 114.35.78.2:10663] AH01964: Connection to child 696 established (server epstest.nta.gov.tw:443) [Thu Feb 02 11:21:31.837370 2023] [ssl:debug] [pid 5184:tid 13180] ssl_engine_kernel.c(2154): [client 114.35.78.2:10663] AH02645: Server name not provided via TLS extension (using default/first virtual host) [Thu Feb 02 11:21:31.853043 2023] [socache_shmcb:debug] [pid 5184:tid 13180] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xa3 -> subcache 3) [Thu Feb 02 11:21:31.853043 2023] [socache_shmcb:debug] [pid 5184:tid 13180] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Thu Feb 02 11:21:31.853043 2023] [socache_shmcb:debug] [pid 5184:tid 13180] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/180 [Thu Feb 02 11:21:31.853043 2023] [socache_shmcb:debug] [pid 5184:tid 13180] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Thu Feb 02 11:21:31.853043 2023] [ssl:debug] [pid 5184:tid 13180] ssl_engine_kernel.c(2053): [client 114.35.78.2:10663] AH02041: Protocol: TLSv1.2, Cipher: AES256-SHA (256/256 bits) [Thu Feb 02 11:21:31.853043 2023] [ssl:debug] [pid 5184:tid 13180] ssl_engine_kernel.c(361): [client 114.35.78.2:10663] AH02034: Initial (No.1) HTTPS request received for child 696 (server epstest.nta.gov.tw:443) [Thu Feb 02 11:21:31.853043 2023] [ssl:debug] [pid 5184:tid 13180] ssl_engine_kernel.c(745): [client 114.35.78.2:10663] AH02255: Changed client verification type will force renegotiation [Thu Feb 02 11:21:31.853043 2023] [ssl:info] [pid 5184:tid 13180] [client 114.35.78.2:10663] AH02221: Requesting connection re-negotiation [Thu Feb 02 11:21:31.853043 2023] [ssl:debug] [pid 5184:tid 13180] ssl_engine_kernel.c(975): [client 114.35.78.2:10663] AH02260: Performing full renegotiation: complete handshake protocol (client does not support secure renegotiation) [Thu Feb 02 11:21:31.853043 2023] [ssl:error] [pid 5184:tid 13180] [client 114.35.78.2:10663] AH02225: Re-negotiation request failed [Thu Feb 02 11:21:31.853043 2023] [ssl:error] [pid 5184:tid 13180] SSL Library Error: error:14080152:SSL routines:ssl3_accept:unsafe legacy renegotiation disabled [Thu Feb 02 11:21:31.853043 2023] [headers:debug] [pid 5184:tid 13180] mod_headers.c(899): AH01503: headers: ap_headers_error_filter() [Thu Feb 02 11:21:31.853043 2023] [ssl:info] [pid 5184:tid 13180] (11)Resource temporarily unavailable: [client 114.35.78.2:10663] AH02008: SSL library error 1 in handshake (server epstest.nta.gov.tw:443) [Thu Feb 02 11:21:31.853043 2023] [ssl:info] [pid 5184:tid 13180] SSL Library Error: error:140800FF:SSL routines:ssl3_accept:unknown state [Thu Feb 02 11:21:31.853043 2023] [ssl:info] [pid 5184:tid 13180] [client 114.35.78.2:10663] AH01998: Connection closed to child 696 with abortive shutdown (server epstest.nta.gov.tw:443) ``` ### client log ```shell curl -s -S -v --cert ntatest.crt --key ntatest.key --cacert ROOTeCA_64.crt https://epstest.nta.gov.tw/eps/docs/404 ``` ``` * Trying 163.29.58.4:443... * Connected to epstest.nta.gov.tw (163.29.58.4) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: ROOTeCA_64.crt * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN: server accepted http/1.1 * Server certificate: * subject: C=TW; L=\U81FA\U7063; O=\U884C\U653F\U9662-\U8CA1\U653F\U90E8-\U570B\U5EAB\U7F72; CN=epstest.nta.gov.tw * start date: Dec 23 03:19:27 2022 GMT * expire date: Dec 23 03:19:27 2023 GMT * subjectAltName: host "epstest.nta.gov.tw" matched cert's "epstest.nta.gov.tw" * issuer: C=TW; O=\U884C\U653F\U9662; CN=\U653F\U5E9C\U4F3A\U670D\U5668\U6578\U4F4D\U6191\U8B49\U7BA1\U7406\U4E2D\U5FC3 - G1 * SSL certificate verify ok. > GET /eps/docs/404 HTTP/1.1 > Host: epstest.nta.gov.tw > User-Agent: curl/7.85.0 > Accept: */* > * LibreSSL SSL_read: Connection reset by peer, errno 54 * Closing connection 0 curl: (56) LibreSSL SSL_read: Connection reset by peer, errno 54 ``` ChatGPT 說的: ``` Listen 443 <VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/key.pem <Location /secure> SSLVerifyClient require # 要驗使用者憑證 SSLVerifyDepth 2 SSLRequire ( %{SSL_CLIENT_S_DN_CN} eq "Specific Certificate CN" & %{SSL_CLIENT_I_DN_O} eq "Specific Certificate O" & %{SSL_CLIENT_I_DN_OU} eq "Specific Certificate OU" ) ProxyPass /secure https://backend/secure/ ProxyPassReverse /secure https://backend/secure/ </Location> ProxyPass / http://backend/ ProxyPassReverse / http://backend/ </VirtualHost> ``` ### mTLS client https://github.com/joutwate/mtls-springboot ### mTLS 設定測試 ``` curl --cert cert.pem --key key.pem https://example.com ``` ### Request with mTLS Here's a general overview of how to generate a PEM file and use it to issue a mTLS request with curl: #### Generating the PEM file: You can use OpenSSL to generate a private key and a self-signed certificate in PEM format: ```shell openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 ``` This will generate two files, key.pem (the private key) and cert.pem (the certificate). #### Using the PEM file with curl: To use the PEM file with curl, you can specify the --cert and --key options: ```shell curl --cert cert.pem --key key.pem https://example.com ``` This will issue a mTLS request to https://example.com using the certificate and private key stored in cert.pem and key.pem, respectively. Note that this is just an example. You may need to modify the options depending on your specific use case.