httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Re: mod_ssl help
Date Mon, 04 Mar 2013 00:19:01 GMT
On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov <icicimov@gmail.com> wrote:

> What I was trying to point to is this:
>
> # openssl x509 -noout -in
> /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 1 (0x1)
>     Signature Algorithm: sha1WithRSAEncryption
>         *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root
> Certification Authority*
>         Validity
>             Not Before: Aug 28 07:24:33 2008 GMT
>             Not After : Dec 31 15:59:59 2030 GMT
>         Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
> Authority
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
> .
> .
> .
>
> as you can see the DN is coma separated not / separated ....
>
> On the other hand when tested with "openssl s_connect" for one of my
certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/...." so sorry
for the confusion seams the / separator is correct.

Any way, what does the test "openssl s_client -ssl3 -connect
server_name:443" show in your case?


>
> On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.mase@gmail.com>wrote:
>
>> The issuer dn is the same; the pem file is a ca bundle.
>>
>>
>> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icicimov@gmail.com> wrote:
>>
>>>
>>> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@gmail.com> wrote:
>>> >
>>> > Anyone?
>>> >
>>> >
>>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@gmail.com>
>>> wrote:
>>> >>
>>> >> I'm testing a client authentication using:
>>> >>
>>> >> SSLCACertificateFile /path/to/pemfile.pem
>>> >> <LocationMatch "/test">
>>> >>         SSLVerifyClient require
>>> >>         SSLVerifyDepth 2
>>> >>         SSLOptions +StdEnvVars +ExportCertData
>>> >>         SSLRequire  %{SSL_CLIENT_I_DN} eq
>>> "/C=US/O=acme/OU=acme/CN=acme"
>>> >> /LocationMatch>
>>> >>
>>> >>
>>> >> I should use two different CA with the same DN (file
>>> /path/to/pemfile.pem)
>>> >> When i try to use this configuration I receive:
>>> >> Access totest denied for 10.10.10.10 (requirement expression not
>>> fulfilled)
>>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>> >>
>>> >> The only way it works is without the SSLRequire directive.
>>> >> or
>>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>>> >>
>>> >> Some suggestions?
>>> >>
>>> >> Regards
>>> >> Michele Masè
>>> >
>>> >
>>> Please paste the output of
>>>
>>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>>
>>> so we know what are we talking about here. If multiple dn in the file
>>> why are you trying to match one using eq then? Anyway, the above command
>>> will show us the issuer dn string and you can see what are you doing wrong.
>>>
>>
>>
>

Mime
View raw message