I've installed "SSLeay-0.9.0b" and "mod_ssl-2.0.13-1.3.3.tar.gz"
in my RH Linux machine.
Everything is working fine but one problem.
I setup my own certificate authority named "CBNU CA" using SSleay.
I installed certificates for a server and clients issued by "CBNU CA"
and setup the web server so that it accepts only certificates issued by
"CBNU CA".
I wanted to make an SSL connect using client certificates.
(1) I configure one virtual host with "with "SSLVerifyClient require".
Below is the corresponding httpd.conf.
<IfDefine SSL>
SSLCacheServerPath /home/httpsd/sbin/ssl_gcache
SSLCacheServerPort 12345
SSLSessionCacheTimeout 300
<VirtualHost 210.115.165.11:443>
DocumentRoot /home/httpsd/share/apache/htdocs
ServerName nscience.chungbuk.ac.kr
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 2
....
</VirtualHost>
</IfDefine>
With this httpd.conf I failed to make a SSL connection with MSIE.
But ok with Netscape Navigator.
(2) I tried to configure two virtual hosts,
one with "SSLVerifyClient none" and the other one with "SSLVerifyClient
require".
My httpd.conf looks like:
<IfDefine SSL>
SSLCacheServerPath /home/httpsd/sbin/ssl_gcache
SSLCacheServerPort 12345
SSLSessionCacheTimeout 300
<VirtualHost 210.115.165.11:443>
DocumentRoot /home/httpsd/share/apache/htdocs
ServerName nscience.chungbuk.ac.kr
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 0
....
</VirtualHost>
<VirtualHost 210.115.165.11:8443>
DocumentRoot /home/httpsd/share/apache/htdocs_cert
ServerName nscience.chungbuk.ac.kr
..
....
SSLEnable
SSLRequireSSL
SSLVerifyClient 2
....
</VirtualHost>
</IfDefine>
Documents in the virtual host with port number 8443
should be accessed only using client certificates.
For Netscape Navigator this is ok.
But for MSIE (4.01) , regardless of having required certificates,
msie establishes an SSL connection not using client certificates.
( If I try to access the virtual host with port number 8443 first, I
failed.
But after I access the virtual host with port number 443,
I can access the one with port number 8443. The last one is a SSL
connection
but does not use client certificates.)
If this is true, apache server with mod_ssl would have a security
problem.
As a result I never succeeded in making an SSL connection using client
certificate with MSIE.
Thanks.
Haewon Lee
Physics Dept.
Chungbuk National University
S. Korea
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
