Hi all,
First of all, thanks for the very good job with openssl. It really rocks !!
Now my question:
I'm trying to setup strong authentication via client certificate (belgian eid).
You can see my apache config
NameVirtualHost *
<VirtualHost *>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
# SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.
[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
Thanks in advance for your help
François
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
