On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov <icici...@gmail.com> wrote:
> What I was trying to point to is this:
>
> # openssl x509 -noout -in
> /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root
> Certification Authority*
> Validity
> Not Before: Aug 28 07:24:33 2008 GMT
> Not After : Dec 31 15:59:59 2030 GMT
> Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
> Authority
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> .
> .
> .
>
> as you can see the DN is coma separated not / separated ....
>
> On the other hand when tested with "openssl s_connect" for one of my
certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/...." so sorry
for the confusion seams the / separator is correct.
Any way, what does the test "openssl s_client -ssl3 -connect
server_name:443" show in your case?
>
> On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.m...@gmail.com>wrote:
>
>> The issuer dn is the same; the pem file is a ca bundle.
>>
>>
>> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icici...@gmail.com> wrote:
>>
>>>
>>> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.m...@gmail.com> wrote:
>>> >
>>> > Anyone?
>>> >
>>> >
>>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.m...@gmail.com>
>>> wrote:
>>> >>
>>> >> I'm testing a client authentication using:
>>> >>
>>> >> SSLCACertificateFile /path/to/pemfile.pem
>>> >> <LocationMatch "/test">
>>> >> SSLVerifyClient require
>>> >> SSLVerifyDepth 2
>>> >> SSLOptions +StdEnvVars +ExportCertData
>>> >> SSLRequire %{SSL_CLIENT_I_DN} eq
>>> "/C=US/O=acme/OU=acme/CN=acme"
>>> >> /LocationMatch>
>>> >>
>>> >>
>>> >> I should use two different CA with the same DN (file
>>> /path/to/pemfile.pem)
>>> >> When i try to use this configuration I receive:
>>> >> Access totest denied for 10.10.10.10 (requirement expression not
>>> fulfilled)
>>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>> >>
>>> >> The only way it works is without the SSLRequire directive.
>>> >> or
>>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>>> >>
>>> >> Some suggestions?
>>> >>
>>> >> Regards
>>> >> Michele Masè
>>> >
>>> >
>>> Please paste the output of
>>>
>>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>>
>>> so we know what are we talking about here. If multiple dn in the file
>>> why are you trying to match one using eq then? Anyway, the above command
>>> will show us the issuer dn string and you can see what are you doing wrong.
>>>
>>
>>
>
