httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Re: mod_ssl help
Date Sun, 03 Mar 2013 22:23:29 GMT
On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@gmail.com> wrote:
>
> Anyone?
>
>
> On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@gmail.com>
wrote:
>>
>> I'm testing a client authentication using:
>>
>> SSLCACertificateFile /path/to/pemfile.pem
>> <LocationMatch "/test">
>>         SSLVerifyClient require
>>         SSLVerifyDepth 2
>>         SSLOptions +StdEnvVars +ExportCertData
>>         SSLRequire  %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
>> /LocationMatch>
>>
>>
>> I should use two different CA with the same DN (file
/path/to/pemfile.pem)
>> When i try to use this configuration I receive:
>> Access totest denied for 10.10.10.10 (requirement expression not
fulfilled)
>> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>
>> The only way it works is without the SSLRequire directive.
>> or
>> Using only one CA in the file (file /path/to/pemfile.pem)
>>
>> Some suggestions?
>>
>> Regards
>> Michele Masè
>
>
Please paste the output of

# openssl x509 -noout -in /path/to/pemfile.pem -text

so we know what are we talking about here. If multiple dn in the file why
are you trying to match one using eq then? Anyway, the above command will
show us the issuer dn string and you can see what are you doing wrong.

Mime
View raw message