Hi,
somewhat off topic, but as there are so many users of
Apache/ModSSL around here (and I already asked on the
modssl mailing list):
I want an Apache SSL server to request client
authentication. This works. Additionally I want
to restrict access only to certain users with
a valid certificate. So I use SSLRequire for
the document root directory of the server:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
<Directory "/home/apache/htdocs/ssltest">
AllowOverride None
Options +FollowSymLinks +Includes
Satisfy all
Order deny,allow
Deny from all
Allow from localhost
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
</Directory>
But I can still access the server with a client certificate
that has "testuser2" (different from "Testuser"!) as
SSL_CLIENT_S_DN_CN (this certificate was issued by the
correct CA, but the SSLRequire should deny access). The
SSL_CLIENT_S_DN_CN is set correctly in the Apache
environment (I print that on the webpage using the
SSI command "printenv"). What else could I have
missed?
Thanx for help, cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
