Hi folks,
I'm using Apache 2.2.3 with mod_ssl on a RHELv5.5 box. I have
been stumped for 3 weeks now by a problem with SSLRequire
and certificates.
FWIW, I also built the latest Apache with SSL from source,
ran it on a separate port, and got equally odd results.
I have posed this same question/situation on the mod_ssl mailing
list, but did not get anywhere.
[r...@rtdev1 conf.d]# rpm -qa | grep httpd
httpd-2.2.3-43.el5_5.3
[r...@rtdev1 conf.d]# rpm -qa | grep mod_ssl
mod_ssl-2.2.3-43.el5_5.3
[r...@rtdev1 conf.d]#
Section from ssl.conf:
...
SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mlaveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}
...
The 403 error as it manifests itself in the ssl_error.log:
[Mon Nov 01 14:50:14 2010] [info] Access to
/apps/rtsrv1dev/share/html/ denied for xxx.xx.160.29 (requirement
expression not fulfilled)
[Mon Nov 01 14:50:14 2010] [info] Failed expression:
%{SSL_CLIENT_S_DN} in { "/O=our.org/OU=people/UID=jblaine/CN=Blaine
Charles J.", "/O=our.org/OU=people/UID=mlaveless/CN=Laveless Mark W.",
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B",
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." }
[Mon Nov 01 14:50:14 2010] [error] [client xxx.xx.160.29] access to
/apps/rtsrv1dev/share/html/ failed, reason: SSL requirement expression
not fulfilled (see SSL logfile for more details)
However, note the "SUCCESS" (bogus?) via CustomLog of
%{SSL_CLIENT_VERIFY}x
[01/Nov/2010:14:50:14 -0400] xxx.xx.160.29 on TLSv1 RC4-MD5
/O=our.org/OU=People/UID=bcian/CN=Ciancetta Barbara J. SUCCESS
And here's another failure from Barbara, with IE8 instead of
Firefox:
[01/Nov/2010:14:49:07 -0400] xxx.xx.160.29 on TLSv1 AES256-SHA
/O=our.org/OU=People/UID=bcietta/CN=Cietta Barbara J. SUCCESS
Note, however, this was a session that worked (SUCCESS actually
meant success...). IE8 on my machine:
[01/Nov/2010:15:02:46 -0400] xxx.xx.0.150 on TLSv1 AES128-SHA
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS
Here's what *DOES WORK* for all parties with certificates, but
is not really what we want, and as I understand the docs, the
other (full DN) should work.
SSLRequire %{SSL_CLIENT_S_DN_CN} in { \
"Blaine Charles J.",
"Laveless Marc W.",
"Simpson Mary B",
"Cietta Barbara A." }
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
