Hello, I faced the same issue. Actually, client authentication has been disabled on recent versions. It has nothing to do with your configuration.
See (on my blog): http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html and then : http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html Regards, -- Jean-Christophe Baptiste <j...@phocean.net> Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : > I'm trying to go through the most basic tutorials on mod_ssl and I'm > having a problem trying to get my server to issue a certificate request > for a particular URL. I'm listing my Apache and OpenSSL version > information. > > # httpd -v > Server version: Apache/2.2.14 (Unix) > Server built: Dec 3 2009 10:25:53 > > # openssl version > OpenSSL 1.0.0-fips-beta4 10 Nov 2009 > > I've followed the steps of this tutorial: > > http://www.vanemery.com/Linux/Apache/apache-SSL.html > > I've also tried to follow the SSL HowTo on the Apache site: > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html > > I'll try to get at the heart of the issue. If I have the following in my > ssl.conf file in the VirtualHost section > > SSLVerifyClient require > SSLVerifyDepth 1 > > then everything works as expected. I have the client certificate > installed in my client web browser, and when I click on the link to my > https server, which is https://myserver, then it prompts me to get the > certificate of the server and confirm a security exception, and also > prompts me with a user identification request, at which point I can chose > a certificate to identify the client to my server. I see my index.html > page, which has a link to the directory https://myserver/Certneeded. I > can click on this directory and see a list of the files in that directory. > > However, if I change my ssl.conf in an attempt to "force clients to > authenticate using certificates for a particular URL, but still allow > arbitrary clients to access the rest of the server", as per the Apache > HowTo, then I never get prompted for this "user identification request" to > which I can identify my client web browser to the server. > > In this case, my ssl.conf file changes to the following. > > SSLVerifyClient none > <Location /Certneeded> > Options Indexes > SSLVerifyClient require > SSLVerifyDepth 1 > </Location> > > Now, when I click on the link to https://myserver/Certneeded, the client > browser just hangs until a timeout is reached, I'm never prompted to > present a certificate for identification, and the contents of the > directory are not listed. > > In Wireshark, I see a client hello, followed by a server hello, followed > by a change cipher spec, presumably because I was never prompted for an > identification certificate by the server within a set time. > > In the "good" case, when my "SSLVerifyClient require" statement is in the > VirtualHost section of the ssl.conf file, in Wireshark, I see a client > hello, followed by a server hello, followed by a "certificate, server key > exchange, certificate request", which seems to be where the window pops up > in my client prompting me with a user identification request. > > In trying to debug this, I noticed that if I do a hack and revert back to > an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that > both configurations (per-server and per-directory contexts) work as > expected. What might be wrong here? > > Aaron > > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager majord...@modssl.org
signature.asc
Description: Ceci est une partie de message numériquement signée
