I've installed "SSLeay-0.9.0b" and "mod_ssl-2.0.13-1.3.3.tar.gz"
in my RH Linux machine.
Everything is working fine but one problem.
I setup my own certificate authority named "CBNU CA" using SSleay.
I installed certificates for a server and clients issued by "CBNU CA"
and setup the web server so that it accepts only certificates issued by
"CBNU CA".
I wanted to make an SSL connect using client certificates.

(1) I configure one virtual host with "with "SSLVerifyClient require".
Below is the corresponding httpd.conf.

<IfDefine SSL>
SSLCacheServerPath     /home/httpsd/sbin/ssl_gcache
SSLCacheServerPort     12345
SSLSessionCacheTimeout 300

<VirtualHost 210.115.165.11:443>
DocumentRoot /home/httpsd/share/apache/htdocs
ServerName nscience.chungbuk.ac.kr
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 2
....
</VirtualHost>
</IfDefine>

With this httpd.conf I failed to make a SSL connection with MSIE.
But ok with Netscape Navigator.

(2) I tried to configure two virtual hosts,
one with "SSLVerifyClient none" and the other one with "SSLVerifyClient
require".
My httpd.conf looks like:


<IfDefine SSL>
SSLCacheServerPath     /home/httpsd/sbin/ssl_gcache
SSLCacheServerPort     12345
SSLSessionCacheTimeout 300

<VirtualHost 210.115.165.11:443>
DocumentRoot /home/httpsd/share/apache/htdocs
ServerName nscience.chungbuk.ac.kr
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 0
....
</VirtualHost>

<VirtualHost 210.115.165.11:8443>
DocumentRoot /home/httpsd/share/apache/htdocs_cert
ServerName nscience.chungbuk.ac.kr
..
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 2
....
</VirtualHost>

</IfDefine>

Documents in the virtual host with port number 8443
should be accessed only using client certificates.
For Netscape Navigator this is ok.
But for MSIE (4.01) , regardless of having required certificates,
msie establishes an SSL connection not using client certificates.
( If I try to access the virtual host with port number 8443 first, I
failed.
But after I access the virtual host with port number 443,
I can access the one with port number 8443. The last one is a SSL
connection
but does not use client certificates.)
If this is true, apache server with mod_ssl would have a security
problem.



As a result I never succeeded in making an SSL connection using client
certificate with MSIE.


Thanks.


Haewon Lee
Physics Dept.
Chungbuk National University
S. Korea

______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to