I think all you need to do is tighten up your SSLRequire rules.
Something like this (all on one line, omitting the backslash at line-end):
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 \
and %{SSL_CLIENT_I_DN} eq "IssuingCA2"
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23
Omar
[EMAIL PROTECTED] wrote:
Hi all --
I'm having some trouble configuring Apache/mod_ssl to do what I want.
Perhaps I have some misconceptions that need dispelled. Any help would be
grealy appreciated.
OVERVIEW/GOAL:
I'm retrofitting some Apache servers to require client certificates. Note
that these servers have certificates that are (temporarily) self-signed.
Our organization already has a PKI consisting of a self-signed RootCA and
two IssuingCAs. My goal here is to configure my Apache server to require
user certificates issued by IssuingCA2, and to refuse access to all
others.
Server version: Apache/2.2.3
Server built: Aug 10 2006 17:29:16
OpenSSL 0.9.8b 04 May 2006
THE PROBLEM:
The problem is that I've found only one configuration that will allow a
client to successfully load a page, and in this case, it will also allow
the use of user certificates issued by the other IssuingCA. I find this
baffling, since I haven't told Apache anything about this particular
IssuingCA.
I believe that my problems are centering around the SSLCACertificateFile
directive. See below for my SSL (scrubbed) conf file.
CASE 1:
If I use this invocation, Apache allows certificates from any issuing CA
that has been signed by our Root CA. Note that certchain.cer is a
concatenation of the PEM-encoded certificates for IssuingCA2 and the
RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
next two cases).
SSLCACertificateFile conf/ssl/certchain.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 0, subject: /CN=[SNIP], issuer: [SNIP]Issuing CA 1
CASE 2:
If I use this invocation, Apache will run but will complain (whenever the
protected page is loaded) that it can't find the local issuer certificate.
I've tried setting SSLVerifyDepth to 1, but this didn't help anything.
The only good thing about this case is that the list of certificates
presented by the remote browser to the user only includes those directly
issued by IssuingCA2.
SSLCACertificateFile conf/ssl/IssuingCA2.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root CA
[Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
CASE 3:
If I use this invocation, Apache won't even run. Note that the content of
RootCA.cer is exactly the same content that makes up an essential part of
certchain.cer (see above). AFAIK, this certificate should have format and
content readily useable by Apache. The only special thing about it, is
that it is a self-signed certificate (does that make a difference?)
SSLCACertificateFile conf/ssl/RootCA.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:02:13 2007] [info] Loading certificate & private key of
SSL-aware server
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
RSA private key - pass phrase not required
[Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
SSL context (protocols: SSLv2, TLSv1)
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
client authentication
[Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
for client authentication
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
error:02001005:system library:fopen:Input/output error
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
error:2006D002:BIO routines:BIO_new_file:system lib
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib
HELP:
My expectation here was that I would need to provide the certificate chain
(issuing and root CA) required to authenticate the user certificate, and
that a user certificate issued by any other IssuingCA would fail because I
haven't given Apache the IssuingCA's certificate.
Instead, it seems like the server has gained access to the IssuingCA1
certificate (does it do this directly, or does the client send it?), and
is validating that certificate against the RootCA. This seems to happen
when I provided the RootCA in the SSLCACertificateFile, which (as I