Dominique Lohez wrote:
>> Still don't know what I am doing wrong. Here's my complete
>> actual config (if someone really would want to look at it)
>> ;-) Seems as if the SSLRequire never comes into effect
>> (even if I compare the CN with "Foo" instead of "Testuser"
>> access is allowed)...
>>
> In fact the
> Allow from localhost
> directive should be removed or the test should be carried out from
> another host:
>
> Since this directive is matched by the test connection
> the other directives are considered and so the SSLRequire directive is
> not used
Thanx Dominique so far!
Hmmm... right now I think I tried every possible
combination of "Satisfy", "Order", "Allow", "Deny"
and "SSLOptions StrictRequire" and SSLRequire.
Whenever there is a directive "Allow" allowing
access, access is granted (so SSLRequire has
no effect), when a Deny is in effect (or no
explicit Allow), access is denied (again SSLRequire
has no effect). Is there some documentation about
the interaction between the different authorization-
and access-control mechanisms from the different
modules? Or is there some possibility to debug the
evaluation process of the access control of apache?
Again the relevant part of my configuration (will
move this to apache mailing list, because it becomes
a little bit off topic):
<Directory /home/httpd/htdocs/ssltest>
AllowOverride None
Options FollowSymLinks +Includes
SSLOptions +StrictRequire
Order deny,allow
Deny from all
Allow from 192.168.2 127.0.0.1
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
</Directory>
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
