Full_Name: winni
Version: 2.4.2
OS: AIX 4.3.3 (AIX4.3.2)
Submission from: (NULL) (129.181.209.36)
Hi togehther,
well I have problems to understand the verification process within client
authentification
:-((
If I have these certifiate structure :
ROOT-CA (selfsign cert)
|
Intermediate1 CA ( sign by ROOT-CA)
|
Client Certificate1 (sign by Intermediate1 CA)
|
Client Certificate2 (sign by Intermediate1 CA)
|
|
Intermediate2 CA ( sign by ROOT-CA)
|
Client Certificate3 (sign by Intermediate2 CA)
|
Client Certificate4 (sign by Intermediate2 CA)
Within the apache-Server I define Client Authentification like :
httpd.conf:
...
Listen 443
Listen 444
...
# Application No.1
<VirtualHost myIP:443>
...
DocumentRoot /usr/local/apache/htdocs
SSLEngine on
# Server Cert
SSLCertificateFile /usr/local/apache/conf/ssl.crt/Server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/Server.key
# Client Authentification !!
SSLVerifyClient require
# Depth = 2 because I have to use two signer and on client cert !!
SSLVerifyDepth 2
# Within these file there are placed the ROOT-CA and the Intermediate1 CA
SSLCACertificateFile /usr/local/apache/443/CAcert.pem
SSLCARevocationPath /usr/local/apache/443
SSLCARevocationFile /usr/local/apache/443/crl.pem
# I use also the ProxyPass for redirection !!
ProxyPass / http://myOtherIP1
ProxyPassReverse / http://myOtherIP1
</VirtualHost>
# Application No.2
<VirtualHost myIP:444>
...
DocumentRoot /usr/local/apache/htdocs
SSLEngine on
# Server Cert
SSLCertificateFile /usr/local/apache/conf/ssl.crt/Server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/Server.key
# Client Authentification !!
SSLVerifyClient require
# Depth = 2 because I have to use two signer and on client cert !!
SSLVerifyDepth 2
# Within these file there are placed the ROOT-CA and the Intermediate2 CA
SSLCACertificateFile /usr/local/apache/444/CAcert.pem
SSLCARevocationPath /usr/local/apache/444
SSLCARevocationFile /usr/local/apache/444/crl.pem
# I use also the ProxyPass for redirection !!
ProxyPass / http://myOtherIP2
ProxyPassReverse / http://myOtherIP2
</VirtualHost>
If I access Application No.1 (https://myIP:443) with the correct
Client-Certificate (Client
Certificate 1 or 2) the access is allow !! That's OK :-)
Buuuut
If I access Application No.1 (https://myIP:443) with the Client-Certificate
(Client
Certificate 3 or 4)the access is also allow !! That's NOT OK :-((
The Intermediate1 CA and the ROOT-CA are only known by the virtualhost:443. So
modssl can't
verify Intermediate2 CA !!!!
It looks like that only the verification of the (same) ROOT-CA is
sufficient to verify the client certificates and not the signer certificate of
the client certificate !!!
I think that can't be a feature ! I would assume that ALL certificates whithin a
chain
have to be verify correctly befor an access could be established !!!!!!
Well I have also use the ProxyPass within the httpd.conf. That is important to
know because
if I don't use
these feature I can fix the problem with the following additional definitions in
httpd.conf:
# Application No.1
<VirtualHost myIP:443>
...
<Directory /usr/local/apache/htdocs>
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "Intermediate1 CA"
</Directory
...
</VirtualHost>
# Application No.2
<VirtualHost myIP:444>
...
<Directory /usr/local/apache/htdocs>
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "Intermediate2 CA"
</Directory
...
</VirtualHost>
Because of the priority within the apache server parse definitions the ProxyPass
definiton
are first parsed and the
<Directory> definition. If I use both of them only the ProxyPass defintion are
used and the
<Directory>
definiton has no meaning :-((
(I have to use the / within the ProxyPass because all request are redirected !
)
Releases :
apache : 1.3.9
modssl : 2.4.2
openssl : 0.9.4
OS : AIX 4.3.2
Any ideas to solve this problem ???
hope of support ....
/winni
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
