Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter: > I´m trying to setup a system where the client authentication for a special > directory should be done via client certificates. I have set up a CA (using > OpenSSL) and the according certificate and key files for the CA the server > and a client. > The client browser (Mozilla Firefox) has all certificates necessary. > My vhost-ssl.conf (based on the standard template file) contains the > following directory entry > > <Directory /srv/www/htdocs/very/secure> > SSLVerifyClient require > SSLVerifyDepth 1 > SSLRequireSSL > SSLOptions +FakeBasicAuth > SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt > SSLCipherSuite HIGH:MEDIUM > SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \ > and %{SSL_CLIENT_S_DN_OU} eq "My Department" > </Directory> > > However the browser cannot access the directory. The client is waiting for my > server until server timeout. > Apaches errror.log (level=info) shows > > Creating new config (0x5cbfc8) for (null) > [Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library > [Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of > SSL-aware server > [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters > (512/1024 bits) > [Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised > [Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for > SSL > [Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol > [Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface: > mod_ssl/2.0.53, Library: OpenSSL/0.9.7e > [Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- > resuming normal operations > [Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07 > [Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server > www.myserver.com:443, client 192.168.0.253) > [Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy > [Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for > child 0 (server www.myserver.com:443) > [Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation > [Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake > [Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not > accepted by client!? > > The other directories of the server can be accessed with SSL without any > problems. > Also the SSLRequireSSL directive doesn´t work as expected. I still can access > that directory without using SSL. > > What´s wrong? > (I´m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit > system) > > Thanks for any helpfull hint > > Harry
I´ve found the solution! As being always a little paranoid I had created certificates and keys with a 4096 bit length. This was too much. After creating new certificates and keys with 2048 bit length. Almost everything works fine. The only problem remaining is that ordinary http-access to my directory is still possible, even if SSLRequireSSL is set. How can I solve this? Harry ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]