On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov <icici...@gmail.com> wrote:
> What I was trying to point to is this: > > # openssl x509 -noout -in > /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha1WithRSAEncryption > *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root > Certification Authority* > Validity > Not Before: Aug 28 07:24:33 2008 GMT > Not After : Dec 31 15:59:59 2030 GMT > Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification > Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > . > . > . > > as you can see the DN is coma separated not / separated .... > > On the other hand when tested with "openssl s_connect" for one of my certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/...." so sorry for the confusion seams the / separator is correct. Any way, what does the test "openssl s_client -ssl3 -connect server_name:443" show in your case? > > On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.m...@gmail.com>wrote: > >> The issuer dn is the same; the pem file is a ca bundle. >> >> >> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icici...@gmail.com> wrote: >> >>> >>> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.m...@gmail.com> wrote: >>> > >>> > Anyone? >>> > >>> > >>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.m...@gmail.com> >>> wrote: >>> >> >>> >> I'm testing a client authentication using: >>> >> >>> >> SSLCACertificateFile /path/to/pemfile.pem >>> >> <LocationMatch "/test"> >>> >> SSLVerifyClient require >>> >> SSLVerifyDepth 2 >>> >> SSLOptions +StdEnvVars +ExportCertData >>> >> SSLRequire %{SSL_CLIENT_I_DN} eq >>> "/C=US/O=acme/OU=acme/CN=acme" >>> >> /LocationMatch> >>> >> >>> >> >>> >> I should use two different CA with the same DN (file >>> /path/to/pemfile.pem) >>> >> When i try to use this configuration I receive: >>> >> Access totest denied for 10.10.10.10 (requirement expression not >>> fulfilled) >>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ... >>> >> >>> >> The only way it works is without the SSLRequire directive. >>> >> or >>> >> Using only one CA in the file (file /path/to/pemfile.pem) >>> >> >>> >> Some suggestions? >>> >> >>> >> Regards >>> >> Michele Masè >>> > >>> > >>> Please paste the output of >>> >>> # openssl x509 -noout -in /path/to/pemfile.pem -text >>> >>> so we know what are we talking about here. If multiple dn in the file >>> why are you trying to match one using eq then? Anyway, the above command >>> will show us the issuer dn string and you can see what are you doing wrong. >>> >> >> >