I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq "Testuser"
the server permits accesss to a client with
SSL_CLIENT_S_DN_CN="testuser2". What's wrong?
Here is the according section from my config:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
<Directory "/home/gellert/htdocs/ssltest">
AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
</Directory>
Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm.... Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
