RE: mod_ssl: SSLRequire
Perhaps
SSLVerifyClient require
Default is
SSLVerifyClient none
Greetings
Oliver
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] im Auftrag von Olaf Gellert
Gesendet: Mi 05.04.2006 14:08
An: modssl-users@modssl.org
Betreff: mod_ssl: SSLRequire
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq Testuser
the server permits accesss to a client with
SSL_CLIENT_S_DN_CN=testuser2. What's wrong?
Here is the according section from my config:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
Directory /home/gellert/htdocs/ssltest
AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} eq SSLTest SubCA 01 \
%{SSL_CLIENT_S_DN_OU} eq User Certificates \
%{SSL_CLIENT_S_DN_CN} eq Testuser )
/Directory
Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
winmail.dat
Re: mod_ssl: SSLRequire
[EMAIL PROTECTED] wrote: Perhaps SSLVerifyClient require Default is SSLVerifyClient none Good idea, but this is set already (otherwise the client would not authentify with the certificate) for this virtual host. Moving it into the directory section does not change anything either. And VerifyDepth is set, too... Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl: SSLRequire
[EMAIL PROTECTED] wrote: Perhaps SSLVerifyClient require Default is SSLVerifyClient none Good idea, but this is set already (otherwise the client would not authentify with the certificate) for this virtual host. Moving it into the directory section does not change anything either. And VerifyDepth is set, too... How deep is VerifyDepth ? I know it will be a big file, but for this purposes i use to turn on LogLevel Debug than the error_log will become very verbose. There Apache will tell if your testuser will be checked or not . Olaf bye Oliver -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] winmail.dat
Re: mod_ssl: SSLRequire
[EMAIL PROTECTED] wrote: How deep is VerifyDepth ? I guess this is the wrong direction of error checking. VerifDepth and VerifyRequire are used in evaluating the certificate chain on SSL connection establishment, the SSLRequire expression is evaluated after the HTTP request is successfully transmitted and the server already knows which webpage is requested (it's a directory section...) Of course VerifyDepth is sufficient (every value above 2 works in my case, as expected), if it was not, the error would be something like unable to get issuer certificate, because evaluation starts at the leaf (= client certificate) going up to the root CA cer. I know it will be a big file, but for this purposes i use to turn on LogLevel Debug than the error_log will become very verbose. There Apache will tell if your testuser will be checked or not . How would that look like? I see at the connection establishment: [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01 After many bytes of packet dump I see the HTTP request arrived: [Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for child 0 (server www.testserver.de:443) and then again lots of bytes (the webpage that is delivered). Nothing about the check of SSLRequire... Thanx for your help anyways. :-) I guess the next step will be stracing the whole thing... -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
