Re: mod_ssl: SSLRequire

Olaf Gellert Wed, 05 Apr 2006 10:28:25 -0700

[EMAIL PROTECTED] wrote:

> How deep is VerifyDepth ?


I guess this is the wrong direction of error checking.
VerifDepth and VerifyRequire are used in evaluating the
certificate chain on SSL connection establishment, the
SSLRequire expression is evaluated after the HTTP request
is successfully transmitted and the server already knows
which webpage is requested (it's a "directory" section...)

Of course VerifyDepth is sufficient (every value above 2
works in my case, as expected), if it was not, the error
would be something like "unable to get issuer certificate",
because evaluation starts at the leaf (= client certificate)
going up to the root CA cer.

> I know it will be a big file, but for this purposes i use to turn on
> "LogLevel Debug" than the error_log will become very verbose.
> There Apache will tell if your "testuser" will be checked or not .

How would that look like? I see at the connection
establishment:

[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root,
issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA
01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate 
Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User
Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01

After many bytes of packet dump I see the HTTP request
arrived:

[Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for 
child 0 (server www.testserver.de:443)

and then again lots of bytes (the webpage that is delivered).
Nothing about the check of SSLRequire...

Thanx for your help anyways. :-)  I guess the next step
will be stracing the whole thing...

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [EMAIL PROTECTED]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

Re: mod_ssl: SSLRequire

Reply via email to