httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Re: mod_ssl help
Date Sun, 03 Mar 2013 23:42:12 GMT
What I was trying to point to is this:

# openssl x509 -noout -in
/etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
Authority*
        Validity
            Not Before: Aug 28 07:24:33 2008 GMT
            Not After : Dec 31 15:59:59 2030 GMT
        Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
.
.
.

as you can see the DN is coma separated not / separated ....



On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.mase@gmail.com>wrote:

> The issuer dn is the same; the pem file is a ca bundle.
>
>
> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icicimov@gmail.com> wrote:
>
>>
>> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@gmail.com> wrote:
>> >
>> > Anyone?
>> >
>> >
>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@gmail.com>
>> wrote:
>> >>
>> >> I'm testing a client authentication using:
>> >>
>> >> SSLCACertificateFile /path/to/pemfile.pem
>> >> <LocationMatch "/test">
>> >>         SSLVerifyClient require
>> >>         SSLVerifyDepth 2
>> >>         SSLOptions +StdEnvVars +ExportCertData
>> >>         SSLRequire  %{SSL_CLIENT_I_DN} eq
>> "/C=US/O=acme/OU=acme/CN=acme"
>> >> /LocationMatch>
>> >>
>> >>
>> >> I should use two different CA with the same DN (file
>> /path/to/pemfile.pem)
>> >> When i try to use this configuration I receive:
>> >> Access totest denied for 10.10.10.10 (requirement expression not
>> fulfilled)
>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>> >>
>> >> The only way it works is without the SSLRequire directive.
>> >> or
>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>> >>
>> >> Some suggestions?
>> >>
>> >> Regards
>> >> Michele Masè
>> >
>> >
>> Please paste the output of
>>
>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>
>> so we know what are we talking about here. If multiple dn in the file why
>> are you trying to match one using eq then? Anyway, the above command will
>> show us the issuer dn string and you can see what are you doing wrong.
>>
>
>

Mime
View raw message