I try to do X.509 client authentication with Apache Apache/2.0.54. This works fine. Now I want to check for certain fields in the client certificate with SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq "Testuser" the server permits accesss to a client with SSL_CLIENT_S_DN_CN="testuser2". What's wrong? Here is the according section from my config: SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire <Directory "/home/gellert/htdocs/ssltest"> AllowOverride None Options +FollowSymLinks +Includes Order deny,allow Deny from all Allow from localhost SSLRequireSSL SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \ && %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \ && %{SSL_CLIENT_S_DN_CN} eq "Testuser" ) </Directory> Anything forgotten? If I print out the environment from within the webpage (with SSI #printenv), I see (among all the other variables): SSL_CLIENT_S_DN_O=SSLTest SubCA 01 SSL_CLIENT_S_DN_OU=User Certificates SSL_CLIENT_S_DN_CN=testuser2 Hmmm.... Any clues? Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]