I'm trying to go through the most basic tutorials on mod_ssl and I'm having a problem trying to get my server to issue a certificate request for a particular URL. I'm listing my Apache and OpenSSL version information.
# httpd -v Server version: Apache/2.2.14 (Unix) Server built: Dec 3 2009 10:25:53 # openssl version OpenSSL 1.0.0-fips-beta4 10 Nov 2009 I've followed the steps of this tutorial: http://www.vanemery.com/Linux/Apache/apache-SSL.html I've also tried to follow the SSL HowTo on the Apache site: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html I'll try to get at the heart of the issue. If I have the following in my ssl.conf file in the VirtualHost section SSLVerifyClient require SSLVerifyDepth 1 then everything works as expected. I have the client certificate installed in my client web browser, and when I click on the link to my https server, which is https://myserver, then it prompts me to get the certificate of the server and confirm a security exception, and also prompts me with a user identification request, at which point I can chose a certificate to identify the client to my server. I see my index.html page, which has a link to the directory https://myserver/Certneeded. I can click on this directory and see a list of the files in that directory. However, if I change my ssl.conf in an attempt to "force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server", as per the Apache HowTo, then I never get prompted for this "user identification request" to which I can identify my client web browser to the server. In this case, my ssl.conf file changes to the following. SSLVerifyClient none <Location /Certneeded> Options Indexes SSLVerifyClient require SSLVerifyDepth 1 </Location> Now, when I click on the link to https://myserver/Certneeded, the client browser just hangs until a timeout is reached, I'm never prompted to present a certificate for identification, and the contents of the directory are not listed. In Wireshark, I see a client hello, followed by a server hello, followed by a change cipher spec, presumably because I was never prompted for an identification certificate by the server within a set time. In the "good" case, when my "SSLVerifyClient require" statement is in the VirtualHost section of the ssl.conf file, in Wireshark, I see a client hello, followed by a server hello, followed by a "certificate, server key exchange, certificate request", which seems to be where the window pops up in my client prompting me with a user identification request. In trying to debug this, I noticed that if I do a hack and revert back to an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that both configurations (per-server and per-directory contexts) work as expected. What might be wrong here? Aaron ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
