I don't know if my first mail hit the list. Sorry for the duplicate
if it was the case....
Hi all,
First of all, thanks for the very good job with openssl. It really rocks !!
Now my question:
I'm trying to setup strong authentication via client certificate (belgian eid).
You can see my apache config
NameVirtualHost *
<VirtualHost *>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
# SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.
[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
Thanks in advance for your help
François
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
