Até agora eu tive HTTPS trabalhando por um longo tempo, então eu não acho que haja algum problema com os certificados do servidor. Agora eu tentei adicionar isso ao lighttpd.conf:
ssl.engine = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.pemfile = "/etc/ssl/private/steinbitglis.domain.pem"
ssl.ca-file = "/etc/ssl/private/GandiStandardSSLCA.pem"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
O log de erros lighttpd diz isso:
(connections.c.299) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
O Firefox afirma o seguinte:
ssl_error_handshake_failure_alert
Meu objetivo é substituir username + passphrase por certificados de navegador, mas ainda não consegui solicitar nenhum certificado do navegador. Se alguém conhece uma boa fonte para aprender todos os detalhes que preciso para jogar com essa tecnologia, isso seria incrível.
Este é um teste que fiz de uma máquina remota.
$ openssl s_client -CAfile GandiStandardSSLCA.pem -showcerts -connect steinbitglis.domain:443
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = steinbitglis.domain
verify return:1
139713412519584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
139713412519584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
Acceptable client certificate CA names
/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
SSL handshake has read 2657 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: CFD6D9A88B96888E9114F1EFF5DD23C83082D24F571B30105BA793FD06A1C311
Session-ID-ctx:
Master-Key: 4106EE7BB7FF8DE9793431CFFD4175842D02C08AC055D315DBEF7B9BCAD3FF5032769A18775142BEA2AF9E80694A32B3
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1338161044
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---