Michele Mase' <michele.mase <at> gmail.com> writes: > > > > > > > > > > I'm testing a client authentication using:SSLCACertificateFile /path/to/pemfile.pem<LocationMatch "/test"> > > > SSLVerifyClient require SSLVerifyDepth 2/LocationMatch> > My env: > > > CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3 (Unix) - Server built: Feb 7 2013 14:32:46 > > > > I have 2 CA's x509 pem files, bundled.CA1 signs client1 certificate filesCA2 signs client2 certificate filesI should use two different CA with a similar issuer DN_OU in a bundle (file /path/to/pemfile.pem) > > > openssl x509 -noout -in one.pem - issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example S.p.A./OU=CA Organization Unit/emailAddress=info <at> example.comopenssl x509 -noout -in one.pem - issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example S.p.A./OU=CA organization Unit/emailAddress=info <at> example.com > > The only difference between 2 CAs is the capital letter in OU field. > > > When i try to use this configuration I receive a 403 error:[Mon May 06 09:33:28.115455 2013] [ssl:error] [pid 5120:tid 139860297901824] [client 10.0.2.2:59798] AH02261: Re-negotiation handshake failed: Not accepted by client!? > The only way it works is without the SSLRequire directive. > or > Using only one CA in the file (file /path/to/pemfile.pem) > > > > or usingSSLVerifyClient optional|optional_no_ca > > > > But I'm still unable to retrieve client cert data; I don't know if the client is authenticated or not. > > > The same configuration using openssl_server works, it seems like an uncorrect (or incomplete) mod_ssl openssl's implementation. > > Addendum: > > The bundle file contains CA1 and CA2; client certificates signed by CA1 (client1) work, client certificates signed by CA2 (client2) don't work. > > If I change the order of the two certificates in the /path/to/pemfile.pem, it happens that:The budle file contains CA2 and CA1; client certificates signed by CA2 (client2) work, client certificates signed by CA1 (client1) don't work. > > The same site under iis works :( > > > How could I solve it using apache? > Some suggestions? > Regards > Michele Masè
Hi Michele, I was wondering if you ever found a solution for this. I think I am running into a similar issue as some of my clients have no trouble using the certificate authentication while others can't seem to get it to work. I too have created a bundle file with CA1 and CA2 and I am suspecting that the ones signed by the latter is not being recognized. Any help will be appreciated. Thanks, David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
