Hi, Question: How do I craft an `openssl verify` command to test validating the client's ssl cert in a way mimics what apache is actually doing based on the configuration directives in use?
I have been looking through the source code, but its been over 25 years since I studied Kernighan and Ritche in college and I'm struggling to follow it through. My assumption has been that `SSLCARevocationCheck chain` is equivalent to `openssl verify -crl_check_all` whereas `SSLCARevocationCheck leaf` is equivalent to `openssl verify -crl_check`, but this seems to be complicated by the SSLCARevocationPath directive, as there does not seem to be an `openssl verify` analog for using a CRL path, only the CA path, or CA file. If I concatenate the Trusted CA Certs with the Trusted CA's CRLs, `openssl verify -crl_check_all -CAfile <concatenated file>` verifies the client certificate, but that doesn't follow the way that apache is configured. The current relevant config looks like... SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCARevocationCheck chain SSLCARevocationPath "/etc/pki/tls/crls/" SSLVerifyClient require SSLVerifyDepth 9 Before stepping further, I have to correct CRLs and CA chains setup. /etc/pki/tls/crls/ has the hash links to the downloaded CRLs for the trusted CAs, the ca-bundle.crt is a symlink to what's been generated by update-ca-trust with the trusted ca certs in /etc/pki/ca-trust/source/anchors. We are facing an issue where clients with SSL client certs from one particular trusted authority are not being validated and mod_ssl is throwing a "unable to get certificate CRL" error. What is strange is that we are not getting this issue on client certs issued by other trusted authorities. Thanks for reading and any kind nudges in the right direction :) --Sean --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
