I´m trying to setup a system where the client authentication for a special
directory should be done via client certificates. I have set up a CA (using
OpenSSL) and the according certificate and key files for the CA the server
and a client.
The client browser (Mozilla Firefox) has all certificates necessary.
My vhost-ssl.conf (based on the standard template file) contains the
following directory entry
<Directory /srv/www/htdocs/very/secure>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLOptions +FakeBasicAuth
SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt
SSLCipherSuite HIGH:MEDIUM
SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \
and %{SSL_CLIENT_S_DN_OU} eq "My Department"
</Directory>
However the browser cannot access the directory. The client is waiting for my
server until server timeout.
Apaches errror.log (level=info) shows
Creating new config (0x5cbfc8) for (null)
[Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
[Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
SSL-aware server
[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised
[Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for
SSL
[Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
[Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
[Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured --
resuming normal operations
[Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
[Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server
www.myserver.com:443, client 192.168.0.253)
[Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy
[Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for
child 0 (server www.myserver.com:443)
[Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
[Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
[Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
accepted by client!?
The other directories of the server can be accessed with SSL without any
problems.
Also the SSLRequireSSL directive doesn´t work as expected. I still can access
that directory without using SSL.
What´s wrong?
(I´m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit
system)
Thanks for any helpfull hint
Harry
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
