ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome

假如想象 提交于 2019-12-03 11:17:58

I'm experiencing the same thing here with Windows7 client systems unable to authenticate with client certificates against some of our systems, but not others. The affected servers are running Apache Tomcat while the unaffected are running IIS7, though I'm hesitant to identify that difference as the culprit.

Anyone else seeing this?

EDIT:

I'm able to eliminate the problem by disabling TLSv1.2 on the server. Is anyone else able to replicate this experience?

I would also be interested to know whether anyone else is seeing this on anything but the Windows platform, as it's the only place it's happening here (same version OSX has no issues).

EDIT2:

Chrome Bug Report here: https://code.google.com/p/chromium/issues/detail?id=278370

EDIT3:

Should be working again in latest Chrome stable. Chrome 30 will have a more robust fix, but 29.x should also work now.

We are experiencing the same problem. As Sean has reported, it seems that Chrome on Windows XP negotiates TLSv1.2 even though the operating system does not support SHA-2 (say, SHA-256 or SHA-384) hash function.

We found that Chrome fails when it receives "client certificate request" following SERVER HELLO. SERVER HELLO itself negotiates RC4-SHA1 (in our environment) which should succeeds. The problematic packet seems the "client certificate request" that includes SHA-2 (as well as SHA1) functions for hashes.

Invoking Chrome with "--enable-logging --log-level=0" outputs the following message: ERROR:nss_ssl_util.cc(193)] ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error -12222, OS error -2146893816

This is an Operating system error corresponding "NTE_BAD_ALGID" for CryptSignHash function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380280(v=vs.85).aspx

Disabling TLSv1.2 on the server should fix the problem. But I think Chrome should prefer SHA1 on Windows XP.

It is combination of Win XP and Google Chrome 29.0.1547.57 m On Win 7/8 this problem doesn't occur.

You could install older working version 28.0.1500.95 http://www.filehippo.com/download_google_chrome/15657/

But settings for disabling updating are not so easy. http://dev.chromium.org/administrators/turning-off-auto-updates

The problem is caused by Chrome running TLSv1.2 on Windows XP.

This can be disabled on the server side but also on the client side.

To run Chrome with a lower version of TLS, start it with the command-line option --ssl-version-max=tls1.1

I had this problem Connecting Chrome with WebSockets to apache throw proxy_wstunnel_module.

My solution was configuring httpd.conf

ProxyPass /wss2/ ws://127.0.0.1:8080/  retry=0 keepalive=On
ProxyPassReverse /wss2/ ws://127.0.0.1:8080/  retry=0 
    <Location /wss2/>
        SSLRequireSSL On
        SSLVerifyClient none
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars +StrictRequire
        SSLRenegBufferSize 10486000
    </Location>

Chrome WebSockets does not like the parameter SSLVerifyClient optional

I hope this helps.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!