malicious
client could not send a client certificate of the other
CA. This certificate would be accepted then (because
evaluation of the chain is still done against the certificates
from SSLCACertificateFile. There is no check against the
certificates from SSLCADNRequestFile...
Regards, Ola
eny from all
Allow from 192.168.2 127.0.0.1
SSLRequireSSL
SSLOptions +StdEnvVars +StrictRequire
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
--
Dipl.Inform. Olaf Gellert
d then again lots of bytes (the webpage that is delivered).
Nothing about the check of SSLRequire...
Thanx for your help anyways. :-) I guess the next step
will be stracing the whole thing...
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consu
anything either. And VerifyDepth
is set, too...
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on I
otten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert
wasn't signed by the CA SnakeOil because
> it has expired??
I guess it means that the Snake Oil CA certificate has expired.
I just had a look into the certificate (provided with openssl-0.9.6g),
its validity is from 9th Oct 1995 until 5th Jul 1998.
So it should not be possible to create some
emantic of nmap, is a
closed port some port where in response to a SYN-packet,
a RST is sent? Or is it a filtered one (= no response).
Just to make sure it's not your firewall. Maybe you can
open all incoming and outgoing packets from localhost
(just for testing) and try a local telnet to t