Harry Knitter wrote: >Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter: > > >>I´m trying to setup a system where the client authentication for a special >>directory should be done via client certificates. I have set up a CA (using >>OpenSSL) and the according certificate and key files for the CA the server >>and a client. >>The client browser (Mozilla Firefox) has all certificates necessary. >>My vhost-ssl.conf (based on the standard template file) contains the >>following directory entry >> >><Directory /srv/www/htdocs/very/secure> >> SSLVerifyClient require >> SSLVerifyDepth 1 >> SSLRequireSSL >> SSLOptions +FakeBasicAuth >> SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt >> SSLCipherSuite HIGH:MEDIUM >> SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \ >> and %{SSL_CLIENT_S_DN_OU} eq "My Department" >></Directory> >> >>However the browser cannot access the directory. The client is waiting for >> >> >my > > >>server until server timeout. >>Apaches errror.log (level=info) shows >> >>Creating new config (0x5cbfc8) for (null) >>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library >>[Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of >>entropy >>[Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of >>SSL-aware server >>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private >>keys (512/1024 bits) >>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters >>(512/1024 bits) >>[Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised >>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for >>SSL >>[Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol >>[Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface: >>mod_ssl/2.0.53, Library: OpenSSL/0.9.7e >>[Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured -- >>resuming normal operations >>[Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07 >>[Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server >>www.myserver.com:443, client 192.168.0.253) >>[Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy >>[Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for >>child 0 (server www.myserver.com:443) >>[Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation >>[Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake >>[Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not >>accepted by client!? >> >>The other directories of the server can be accessed with SSL without any >>problems. >>Also the SSLRequireSSL directive doesn´t work as expected. I still can >> >> >access > > >>that directory without using SSL. >> >>What´s wrong? >>(I´m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit >>system) >> >>Thanks for any helpfull hint >> >>Harry >> >> > >I´ve found the solution! >As being always a little paranoid I had created certificates and keys with a >4096 bit length. This was too much. >After creating new certificates and keys with 2048 bit length. Almost >everything works fine. >The only problem remaining is that ordinary http-access to my directory is >still possible, even if SSLRequireSSL is set. >How can I solve this? > > Well to prevent access in http you should place a deny directive in the http related part of your config file. <Location /yoururl> deny from all </Location>
>Harry >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List modssl-users@modssl.org >Automated List Manager [EMAIL PROTECTED] > > -- Charles-Edouard Ruault Idtect SA 115 rue Reaumur - 75002, Paris, France Tel: +33-1-55-34-76-65 Fax: +33-1-55-34-76-75 Web: http://www.idtect.com GPG key Id C97EDD59 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]