httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michele Mase'" <michele.m...@gmail.com>
Subject Re: [users@httpd] Re: mod_ssl help
Date Mon, 04 Mar 2013 19:44:26 GMT
One problem is almost solved!
Two issuer dn are similar but not the same, there is a capital letter in
the first dn and a normal letter in the other ...
But something with the authentication is wrong/missing ...
It complains about a refused renegotiation from the client side.
I'm confused, I don't know how to proceed.


On Mon, Mar 4, 2013 at 1:19 AM, Igor Cicimov <icicimov@gmail.com> wrote:

>
>
>
> On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>
>> What I was trying to point to is this:
>>
>> # openssl x509 -noout -in
>> /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
>> Certificate:
>>     Data:
>>         Version: 3 (0x2)
>>         Serial Number: 1 (0x1)
>>     Signature Algorithm: sha1WithRSAEncryption
>>         *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root
>> Certification Authority*
>>         Validity
>>             Not Before: Aug 28 07:24:33 2008 GMT
>>             Not After : Dec 31 15:59:59 2030 GMT
>>         Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root
>> Certification Authority
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (2048 bit)
>> .
>> .
>> .
>>
>> as you can see the DN is coma separated not / separated ....
>>
>> On the other hand when tested with "openssl s_connect" for one of my
> certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/...." so sorry
> for the confusion seams the / separator is correct.
>
> Any way, what does the test "openssl s_client -ssl3 -connect
> server_name:443" show in your case?
>
>
>>
>> On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.mase@gmail.com>wrote:
>>
>>> The issuer dn is the same; the pem file is a ca bundle.
>>>
>>>
>>> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icicimov@gmail.com>wrote:
>>>
>>>>
>>>> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@gmail.com> wrote:
>>>> >
>>>> > Anyone?
>>>> >
>>>> >
>>>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@gmail.com>
>>>> wrote:
>>>> >>
>>>> >> I'm testing a client authentication using:
>>>> >>
>>>> >> SSLCACertificateFile /path/to/pemfile.pem
>>>> >> <LocationMatch "/test">
>>>> >>         SSLVerifyClient require
>>>> >>         SSLVerifyDepth 2
>>>> >>         SSLOptions +StdEnvVars +ExportCertData
>>>> >>         SSLRequire  %{SSL_CLIENT_I_DN} eq
>>>> "/C=US/O=acme/OU=acme/CN=acme"
>>>> >> /LocationMatch>
>>>> >>
>>>> >>
>>>> >> I should use two different CA with the same DN (file
>>>> /path/to/pemfile.pem)
>>>> >> When i try to use this configuration I receive:
>>>> >> Access totest denied for 10.10.10.10 (requirement expression not
>>>> fulfilled)
>>>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>>> >>
>>>> >> The only way it works is without the SSLRequire directive.
>>>> >> or
>>>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>>>> >>
>>>> >> Some suggestions?
>>>> >>
>>>> >> Regards
>>>> >> Michele Masè
>>>> >
>>>> >
>>>> Please paste the output of
>>>>
>>>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>>>
>>>> so we know what are we talking about here. If multiple dn in the file
>>>> why are you trying to match one using eq then? Anyway, the above command
>>>> will show us the issuer dn string and you can see what are you doing wrong.
>>>>
>>>
>>>
>>
>

Mime
View raw message