Harry Knitter wrote:
>Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter:
>
>
>>I´m trying to setup a system where the client authentication for a special
>>directory should be done via client certificates. I have set up a CA (using
>>OpenSSL) and the according certificate and key files for the CA the server
>>and a client.
>>The client browser (Mozilla Firefox) has all certificates necessary.
>>My vhost-ssl.conf (based on the standard template file) contains the
>>following directory entry
>>
>><Directory /srv/www/htdocs/very/secure>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>> SSLRequireSSL
>> SSLOptions +FakeBasicAuth
>> SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt
>> SSLCipherSuite HIGH:MEDIUM
>> SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \
>> and %{SSL_CLIENT_S_DN_OU} eq "My Department"
>></Directory>
>>
>>However the browser cannot access the directory. The client is waiting for
>>
>>
>my
>
>
>>server until server timeout.
>>Apaches errror.log (level=info) shows
>>
>>Creating new config (0x5cbfc8) for (null)
>>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
>>[Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
>>entropy
>>[Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
>>SSL-aware server
>>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private
>>keys (512/1024 bits)
>>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters
>>(512/1024 bits)
>>[Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised
>>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for
>>SSL
>>[Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
>>[Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
>>mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
>>[Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured --
>>resuming normal operations
>>[Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
>>[Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server
>>www.myserver.com:443, client 192.168.0.253)
>>[Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy
>>[Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for
>>child 0 (server www.myserver.com:443)
>>[Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
>>[Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
>>[Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
>>accepted by client!?
>>
>>The other directories of the server can be accessed with SSL without any
>>problems.
>>Also the SSLRequireSSL directive doesn´t work as expected. I still can
>>
>>
>access
>
>
>>that directory without using SSL.
>>
>>What´s wrong?
>>(I´m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit
>>system)
>>
>>Thanks for any helpfull hint
>>
>>Harry
>>
>>
>
>I´ve found the solution!
>As being always a little paranoid I had created certificates and keys with a
>4096 bit length. This was too much.
>After creating new certificates and keys with 2048 bit length. Almost
>everything works fine.
>The only problem remaining is that ordinary http-access to my directory is
>still possible, even if SSLRequireSSL is set.
>How can I solve this?
>
>
Well to prevent access in http you should place a deny directive in the
http related part of your config file.
<Location /yoururl>
deny from all
</Location>
>Harry
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager [EMAIL PROTECTED]
>
>
--
Charles-Edouard Ruault
Idtect SA
115 rue Reaumur - 75002, Paris, France
Tel: +33-1-55-34-76-65
Fax: +33-1-55-34-76-75
Web: http://www.idtect.com
GPG key Id C97EDD59
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
