Re: mod_ssl: SSLRequire

2006-04-05 Thread Olaf Gellert
[EMAIL PROTECTED] wrote:

> How deep is VerifyDepth ? 

I guess this is the wrong direction of error checking.
VerifDepth and VerifyRequire are used in evaluating the
certificate chain on SSL connection establishment, the
SSLRequire expression is evaluated after the HTTP request
is successfully transmitted and the server already knows
which webpage is requested (it's a "directory" section...)

Of course VerifyDepth is sufficient (every value above 2
works in my case, as expected), if it was not, the error
would be something like "unable to get issuer certificate",
because evaluation starts at the leaf (= client certificate)
going up to the root CA cer.

> I know it will be a big file, but for this purposes i use to turn on
> "LogLevel Debug" than the error_log will become very verbose.
> There Apache will tell if your "testuser" will be checked or not .

How would that look like? I see at the connection
establishment:

[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root,
issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA
01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User
Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01

After many bytes of packet dump I see the HTTP request
arrived:

[Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for 
child 0 (server www.testserver.de:443)

and then again lots of bytes (the webpage that is delivered).
Nothing about the check of SSLRequire...

Thanx for your help anyways. :-)  I guess the next step
will be stracing the whole thing...

-- 
Dipl.Inform. Olaf Gellert  PRESECURE (R)
Senior Researcher,   Consulting GmbH
Phone: (+49) 0700 / PRESECURE   [EMAIL PROTECTED]

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


RE: mod_ssl: SSLRequire

2006-04-05 Thread Oliver.Schaudt
 
>[EMAIL PROTECTED] wrote:
>> Perhaps
>>   SSLVerifyClient require
>> 
>> Default is
>>   SSLVerifyClient none

>Good idea, but  this is set already (otherwise the
>client would not authentify with the certificate)
>for this virtual host. Moving it into the directory
>section does not change anything either. And VerifyDepth
>is set, too...

How deep is VerifyDepth ? 

I know it will be a big file, but for this purposes i use to turn on
"LogLevel Debug" than the error_log will become very verbose.
There Apache will tell if your "testuser" will be checked or not .

>Olaf

bye

Oliver


-- 
Dipl.Inform. Olaf Gellert  PRESECURE (R)
Senior Researcher,   Consulting GmbH
Phone: (+49) 0700 / PRESECURE   [EMAIL PROTECTED]

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

<>

Re: mod_ssl: SSLRequire

2006-04-05 Thread Olaf Gellert
[EMAIL PROTECTED] wrote:
> Perhaps
>   SSLVerifyClient require
> 
> Default is
>   SSLVerifyClient none

Good idea, but  this is set already (otherwise the
client would not authentify with the certificate)
for this virtual host. Moving it into the directory
section does not change anything either. And VerifyDepth
is set, too...

Olaf

-- 
Dipl.Inform. Olaf Gellert  PRESECURE (R)
Senior Researcher,   Consulting GmbH
Phone: (+49) 0700 / PRESECURE   [EMAIL PROTECTED]

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


RE: mod_ssl: SSLRequire

2006-04-05 Thread Oliver.Schaudt
Perhaps
  SSLVerifyClient require

Default is
  SSLVerifyClient none

Greetings

Oliver
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] im Auftrag von Olaf Gellert
Gesendet: Mi 05.04.2006 14:08
An: modssl-users@modssl.org
Betreff: mod_ssl: SSLRequire
 
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that

%{SSL_CLIENT_S_DN_CN} eq "Testuser"

the server permits accesss to a client with
SSL_CLIENT_S_DN_CN="testuser2". What's wrong?

Here is the according section from my config:

 SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
 

   AllowOverride None
   Options +FollowSymLinks +Includes
   Order deny,allow
   Deny from all
   Allow from localhost
   SSLRequireSSL
   SSLRequire (%{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )


Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):

SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2

Hmmm Any clues?

Olaf

-- 
Dipl.Inform. Olaf Gellert  PRESECURE (R)
Senior Researcher,   Consulting GmbH
Phone: (+49) 0700 / PRESECURE   [EMAIL PROTECTED]

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

<>