RE: mod_ssl: SSLRequire
>[EMAIL PROTECTED] wrote: >> Perhaps >> SSLVerifyClient require >> >> Default is >> SSLVerifyClient none >Good idea, but this is set already (otherwise the >client would not authentify with the certificate) >for this virtual host. Moving it into the directory >section does not change anything either. And VerifyDepth >is set, too... How deep is VerifyDepth ? I know it will be a big file, but for this purposes i use to turn on "LogLevel Debug" than the error_log will become very verbose. There Apache will tell if your "testuser" will be checked or not . >Olaf bye Oliver -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] <>
RE: Session Cache is not configured
Do you have some lines like or before the sslcache entry ? I have to put this out of my ssl-config before it worked. Greetings Oliver -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] im Auftrag von L. Steinbrügger - Fa. Rameder Gesendet: Mi 05.04.2006 16:45 An: modssl-users@modssl.org Betreff: Session Cache is not configured Hallo, I have a problem with APACHE MOD SSL. I installed Apache 2.2.0 at an Suse Linux System. The Server works fine, also with SSL, but in my SSL LOG the following Error Code is written : ssl_error.log - [warn] Init: Session Cache is not configured [hint: SSLSessionCache] - I believe that the error is my ssl_global.conf but i found no further information in the internet ... ssl_global.conf SSLSessionCache dbm:/var/log/apache2/ssl_cache SSLSessionCacheTimeout 600 --- The following modules are installed --- core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) suexec_module (shared) actions_module (shared) alias_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) include_module (shared) log_config_module (shared) mime_module (shared) negotiation_module (shared) setenvif_module (shared) status_module (shared) userdir_module (shared) asis_module (shared) rewrite_module (shared) ssl_module (shared) vhost_alias_module (shared) php5_module (shared) authn_dbm_module (shared) auth_basic_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authn_file_module (shared) authz_user_module (shared) authz_default_module (shared) --- I hope that someone can help me :) Lars Steinbrügger __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] <>
RE: mod_ssl: SSLRequire
Perhaps SSLVerifyClient require Default is SSLVerifyClient none Greetings Oliver -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] im Auftrag von Olaf Gellert Gesendet: Mi 05.04.2006 14:08 An: modssl-users@modssl.org Betreff: mod_ssl: SSLRequire I try to do X.509 client authentication with Apache Apache/2.0.54. This works fine. Now I want to check for certain fields in the client certificate with SSLRequire. Even though I ask that %{SSL_CLIENT_S_DN_CN} eq "Testuser" the server permits accesss to a client with SSL_CLIENT_S_DN_CN="testuser2". What's wrong? Here is the according section from my config: SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire AllowOverride None Options +FollowSymLinks +Includes Order deny,allow Deny from all Allow from localhost SSLRequireSSL SSLRequire (%{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \ && %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \ && %{SSL_CLIENT_S_DN_CN} eq "Testuser" ) Anything forgotten? If I print out the environment from within the webpage (with SSI #printenv), I see (among all the other variables): SSL_CLIENT_S_DN_O=SSLTest SubCA 01 SSL_CLIENT_S_DN_OU=User Certificates SSL_CLIENT_S_DN_CN=testuser2 Hmmm Any clues? Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] <>