Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter:
> I´m trying to setup a system where the client authentication for a special
> directory should be done via client certificates. I have set up a CA (using
> OpenSSL) and the according certificate and key files for the CA the server
> and a client.
> The client browser (Mozilla Firefox) has all certificates necessary.
> My vhost-ssl.conf (based on the standard template file) contains the
> following directory entry
>
> <Directory /srv/www/htdocs/very/secure>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLRequireSSL
> SSLOptions +FakeBasicAuth
> SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt
> SSLCipherSuite HIGH:MEDIUM
> SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \
> and %{SSL_CLIENT_S_DN_OU} eq "My Department"
> </Directory>
>
> However the browser cannot access the directory. The client is waiting for
my
> server until server timeout.
> Apaches errror.log (level=info) shows
>
> Creating new config (0x5cbfc8) for (null)
> [Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
> [Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
> entropy
> [Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
> SSL-aware server
> [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private
> keys (512/1024 bits)
> [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters
> (512/1024 bits)
> [Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised
> [Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for
> SSL
> [Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
> [Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
> mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
> [Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured --
> resuming normal operations
> [Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
> [Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server
> www.myserver.com:443, client 192.168.0.253)
> [Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy
> [Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for
> child 0 (server www.myserver.com:443)
> [Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
> [Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
> [Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
> accepted by client!?
>
> The other directories of the server can be accessed with SSL without any
> problems.
> Also the SSLRequireSSL directive doesn´t work as expected. I still can
access
> that directory without using SSL.
>
> What´s wrong?
> (I´m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit
> system)
>
> Thanks for any helpfull hint
>
> Harry
I´ve found the solution!
As being always a little paranoid I had created certificates and keys with a
4096 bit length. This was too much.
After creating new certificates and keys with 2048 bit length. Almost
everything works fine.
The only problem remaining is that ordinary http-access to my directory is
still possible, even if SSLRequireSSL is set.
How can I solve this?
Harry
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
