On 11/1/2010 7:14 AM, Joe Orton wrote:
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
when logging SSL_CLIENT_VERIFY via CustomLog
Your verbose description of "something goes is not working" is hard to
follow or condense down. Are you saying with the below configuration,
you are seeing the SSLRequire work for all the users but that with the
jblaine cert?
I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below). Now it almost seems somewhat random
in failure. People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)
Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.
It could be an SSLRequire implementation bug but it is hard to tell. Is
the order of the users within the SSLRequire list significant?
Ah, you mean if I reorder them, does the success/failure
situation change as well? I don't know, I can try that.
> Why are you matching by the whole S_DN rather than based on
> e.g. S_DN_CN alone?
Why not? It seems like the more fully correct way to match
for security. It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.
I will try the httpd list.
Thanks Joe
Jeff
<Location />
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}
</Location>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
