mod_ssl: SSLRequire

I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that

%{SSL_CLIENT_S_DN_CN} eq "Testuser"

the server permits accesss to a client with
SSL_CLIENT_S_DN_CN="testuser2". What's wrong?

Here is the according section from my config:

SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire

AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )


Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):

SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2

Hmmm.... Any clues?

Olaf

--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: mod_ssl: SSLRequire

This is a multi-part message in MIME format.

------_=_NextPart_001_01C658C0.E9EDB2EA
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Perhaps
SSLVerifyClient require

Default is
SSLVerifyClient none

Greetings

Oliver
-----Ursprüngliche Nachricht-----
Von: owner-modssl-users@modssl.org im Auftrag von Olaf Gellert
Gesendet: Mi 05.04.2006 14:08
An: modssl-users@modssl.org
Betreff: mod_ssl: SSLRequire
=20
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that

%{SSL_CLIENT_S_DN_CN} eq "Testuser"

the server permits accesss to a client with
SSL_CLIENT_S_DN_CN=3D"testuser2". What's wrong?

Here is the according section from my config:

SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire


AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )


Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):

SSL_CLIENT_S_DN_O=3DSSLTest SubCA 01
SSL_CLIENT_S_DN_OU=3DUser Certificates
SSL_CLIENT_S_DN_CN=3Dtestuser2

Hmmm.... Any clues?

Olaf

--=20
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


------_=_NextPart_001_01C658C0.E9EDB2EA
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64

eJ8+IgEOAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcA GAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAGAAAAFJFOiBt b2Rfc3NsOiBTU0xS
ZXF1aXJlAAsIAQWAAwAOAAAA1gcEAAUAEAA2ABgAAwBHAQEggAMADgAAANYH BAAFABAANwAAAAMA
MAEBCYABACEAAAA4M0JBMUNDRjhFQkI0OTQ3QTkzNzlERDI1NkY0NEY0OQBn BwEDkAYACAwAADgA
AAADACYAAAAAAAMANgAAAAAAQAA5AOHxG9TAWMYBHgA9AAEAAAAFAAAAUkU6 IAAAAAACAUcAAQAA
ADAAAABjPURFO2E9IDtwPUF2aW5jaTtsPU1TMDEwMTItMDYwNDA1MTQ1NTAw Wi0xMzQ2NQAeAEkA
AQAAABQAAABtb2Rfc3NsOiBTU0xSZXF1aXJlAEAATgAAgRWuqVjGAR4AWgAB AAAAHgAAAG93bmVy
LW1vZHNzbC11c2Vyc0Btb2Rzc2wub3JnAAAAAgFbAAEAAABZAAAAAAAAAIEr H6S+oxAZnW4A3QEP
VAIAAAAAb3duZXItbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcAU01UUABvd25l ci1tb2Rzc2wtdXNl
cnNAbW9kc3NsLm9yZwAAAAACAVwAAQAAACMAAABTTVRQOk9XTkVSLU1PRFNT TC1VU0VSU0BNT0RT
U0wuT1JHAAAeAF0AAQAAAA0AAABPbGFmIEdlbGxlcnQAAAAAAgFeAAEAAAA7 AAAAAAAAAIErH6S+
oxAZnW4A3QEPVAIAAAAAT2xhZiBHZWxsZXJ0AFNNVFAAb2dAcHJlLXNlY3Vy ZS5kZQAAAgFfAAEA
AAAWAAAAU01UUDpPR0BQUkUtU0VDVVJFLkRFAAAAHgBmAAEAAAAFAAAAU01U UAAAAAAeAGcAAQAA
AB4AAABvd25lci1tb2Rzc2wtdXNlcnNAbW9kc3NsLm9yZwAAAB4AaAABAAAA BQAAAFNNVFAAAAAA
HgBpAAEAAAARAAAAb2dAcHJlLXNlY3VyZS5kZQAAAAAeAHAAAQAAABQAAABt b2Rfc3NsOiBTU0xS
ZXF1aXJlAAIBcQABAAAAGwAAAAHGWL+VbyXivoC/WUxjvny6OsE7Rd4AAE+r yAAeAHQAAQAAABgA
AABtb2Rzc2wtdXNlcnNAbW9kc3NsLm9yZwAeABoMAQAAABAAAABTY2hhdWR0 LCBPbGl2ZXIAHgAd
DgEAAAAUAAAAbW9kX3NzbDogU1NMUmVxdWlyZQACAQkQAQAAAIgFAACEBQAA JQoAAExaRnUASpJh
AwAKAHJjcGcxMjXiMgNDdGV4BUEBAwH3TwqAAqQD4wIAY2gKwHPwZXQwIAcT AoAP8wBQfwRWCFUH
shHFDlEDARDHMvcGAAbDEcUzBEYQyRLbEdPbCO8J9zsYvw4wNRHCDGDOYwBQ CwkBZDM2EVALpuwg
UASQEPBwELAKsQqAIiAGAFNMVgZyeUMWbAiQAjAgGMBxdWkXGMAeBB4ERAEQ YXVsbwVABAAeDx8V
bgIgH+tHtQnRdAuAZyFFIVRPHyBWdgSQIVQtJeJVERBwvSVwJxDQJDAfIBDg ZQewbQDQaAUQEOB0
JeMhVFYhAiA6IG93IvByLWMEYQQQbC11ESAREEBVKTQuBbBnISBtEWB1qQGA cmEqkHYCICAlIIBh
ZiBHZWxsBJBedCN1B5AJ8AEAdCiwTQBpIDA1LjA0LgEB0DA2IDE0OjB6OCFU QSihKT8qRCFUQu8R
MBjAASAvE18vYSiwHoFOUh+aCuMKgEkgKxB5ETOgbyBkNABYLjWwMDkgYx8k IOB0JxD7AjAN4GEk
ECtxA/A1QBFgzwqwJwEulTZzLzItsDRgcS3QIFRoBAA2AAWwa1UEIGYLgGU3 8E4o0CA9M5B3AHAF
QDPxJwFja/chVAIQBcBjLDELcTixLAD/L1AhIAOgNUE0pjryBpA1kt8nIDYS IVQyKDfwRSVQO/KN
CGBnNkAzkGFzazwBIzWwH/olXHsegV9DAExJRU5UX1NfhEROQWBOXH0gH5Co ICJUB5B0KaIiH/qn
PBIpsSVRIHAEkG02IL8EIADQOvAEEAQgM/FhNKYzPYtBbT0iDrBC5DIidTfw V0ARJzhBA2AkMD/9
H/pIBJAnIDgxPBJFQQWw9mQkIURBYzXDA1IvIDPQ5QWgbjjAZzof+iGwTkEd HoFPBTA10QQgK0Zh
eGtlQj/ADeAq4DYxK4BTdGRFbnZWEQHrTzAIUG0KsHRQd1BAJ4HmdDJcTkI8 RB/BTDAFsJkz0CIv
P0AHgC9nLATDVDBQUG9jcy8vYUhibCI+TY8hsEEsECjQT/8lUQUQAQA5ESL2 VtVOyAbwG1dhBrFM
C4A4kStJbv00sHUBACFHWOQLIBMhAQD4bnksB0BXYVZ7ILBckH9MhFzBVn8H 4EyTGFA1oGx/P0BC
4F67MigegWDPH5Qg7ihOQkEPQhBPQlUegULCIQYAdWJDQS2AMSLPAzBnAF7K Z7smJmQvZTK6VUJV
VSmxEsA82HNm709n/2kPQi9DMCApTeg87i9Th1YLLvB5NUBL0jqx7GdvAkAJ 8D85UCvQM5B/JmAL
gAVACGA5sScRCfB2/x/AAiAHgB9RA1IhVDYSO+X4d2ViCrBUkGPQNhMegM0z kCNz83TRKSw5UREg
/WPBYQRgS+FehzwSczAnEL0FwHYKwAcwAmAHkClNe91pLz1l7nvfadU9ar9+ X9dH1khnSfttg+Au
hBERYP9eAVrhB5BJ6yuiH/ol4DMl+1OAC1AuWsA6sYQAK5tsn4EdgFJFU0VD VYoQ/WPQUnA1BmAD
AAWxMlARIPsKwCcBcnigjF9OQwhQAICrIPFL0kcG0EghVFA/QIMi8CiwKCs0 OSktgDI3LgAgL4n5
jLhvZ/JAJmBlLUwRCHA48AEA31Yfk59XITQQC3BsM9B08P8H0StxWsAOsASg ETARYAJAXwDQOJCS
/5erJ7B0HeA66C8vd5kwLgWQAJAAIO4uliFVcAnwcwWwliEf+r0hVF+b35zv nf+fD182yv+VxCDQ
OvAz4k7ACfAegWPQ/zGVj8Ci7zYAmUEwDn/jZmD8cHAYYQXQlQFL0lpQZjF/ pu9OQi8/MEpP4QNx
DrBke6aUpiBudyEFwKt/p6lhtmpLoQNwb6kPIVR9r0AeADUQAQAAADsAAAA8 OUI0RTM3RENCOEQ1
N0Q0MDhGRjk2MEI1MzZGMEU1Mjc0MzMwRkNAbXMwMTAxMi5hdmluY2kuZGU+ AAAeAEcQAQAAAA8A
AABtZXNzYWdlL3JmYzgyMgAACwDyEAEAAAAfAPMQAQAAAEAAAABSAEUAJQAz AEEAIABtAG8AZABf
AHMAcwBsACUAMwBBACAAUwBTAEwAUgBlAHEAdQBpAHIAZQAuAEUATQBMAAAA CwD2EAAAAABAAAcw
4fEb1MBYxgFAAAgwdZ756cBYxgEDAN4/r28AAAMA8T8HBAAAHgD4PwEAAAAQ AAAAU2NoYXVkdCwg
T2xpdmVyAAIB+T8BAAAAWwAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAAA AAAvTz1BVklOQ0kv
T1U9RklSU1QgQURNSU5JU1RSQVRJVkUgR1JPVVAvQ049UkVDSVBJRU5UUy9D Tj1NMDU0NwAAHgD6
PwEAAAAVAAAAU3lzdGVtIEFkbWluaXN0cmF0b3IAAAAAAgH7PwEAAAAeAAAA AAAAANynQMjAQhAa
tLkIACsv4YIBAAAAAAAAAC4AAAADAP0/5AQAAAMAGUAAAAAAAwAaQAAAAAAD AB1AAAAAAAMAHkAA
AAAAHgAwQAEAAAAGAAAATTA1NDcAAAAeADFAAQAAAAYAAABNMDU0NwAAAB4A MkABAAAAHgAAAG93
bmVyLW1vZHNzbC11c2Vyc0Btb2Rzc2wub3JnAAAAHgAzQAEAAAARAAAAb2dA cHJlLXNlY3VyZS5k
ZQAAAAAeADhAAQAAAAYAAABNMDU0NwAAAB4AOUABAAAAAgAAAC4AAAADAHZA /////wsAKQAAAAAA
CwAjAAAAAAADAAYQZMzgJwMABxBLBQAAAwAQEAAAAAADABEQAAAAAB4ACBAB AAAAZQAAAFBFUkhB
UFNTU0xWRVJJRllDTElFTlRSRVFVSVJFREVGQVVMVElTU1NMVkVSSUZZQ0xJ RU5UTk9ORUdSRUVU
SU5HU09MSVZFUi0tLS0tVVJTUFL8TkdMSUNIRU5BQ0hSSUNIVC0AAAAAAgF/ AAEAAAA7AAAAPDlC
NEUzN0RDQjhENTdENDA4RkY5NjBCNTM2RjBFNTI3NDMzMEZDQG1zMDEwMTIu YXZpbmNpLmRlPgAA
Ek8=

------_=_NextPart_001_01C658C0.E9EDB2EA--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl: SSLRequire

Oliver.Schaudt@unilog.de wrote:
> Perhaps
> SSLVerifyClient require
>
> Default is
> SSLVerifyClient none

Good idea, but this is set already (otherwise the
client would not authentify with the certificate)
for this virtual host. Moving it into the directory
section does not change anything either. And VerifyDepth
is set, too...

Olaf

--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: mod_ssl: SSLRequire

This is a multi-part message in MIME format.

------_=_NextPart_001_01C658C8.1D71775A
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

=20
>Oliver.Schaudt@unilog.de wrote:
>> Perhaps
>> SSLVerifyClient require
>>=20
>> Default is
>> SSLVerifyClient none

>Good idea, but this is set already (otherwise the
>client would not authentify with the certificate)
>for this virtual host. Moving it into the directory
>section does not change anything either. And VerifyDepth
>is set, too...

How deep is VerifyDepth ?=20

I know it will be a big file, but for this purposes i use to turn on
"LogLevel Debug" than the error_log will become very verbose.
There Apache will tell if your "testuser" will be checked or not .

>Olaf

bye

Oliver


--=20
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


------_=_NextPart_001_01C658C8.1D71775A
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64

eJ8+IiIPAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcA GAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAGAAAAFJFOiBt b2Rfc3NsOiBTU0xS
ZXF1aXJlAAsIAQWAAwAOAAAA1gcEAAUAEQArAAcAAwAsAQEggAMADgAAANYH BAAFABEALgAhAAMA
SQEBCYABACEAAAA1QjY1N0RBNzE0MzM3NjQ5ODEzQ0U1NjI2OEEzMjk0MwDv BgEDkAYAVAoAADgA
AAADACYAAAAAAAMANgAAAAAAQAA5AM9ooaLHWMYBHgA9AAEAAAAFAAAAUkU6 IAAAAAACAUcAAQAA
ADAAAABjPURFO2E9IDtwPUF2aW5jaTtsPU1TMDEwMTItMDYwNDA1MTU0NjMz Wi0xMzQ5NwAeAEkA
AQAAABgAAABSZTogbW9kX3NzbDogU1NMUmVxdWlyZQBAAE4AALjdP8NYxgEe AFoAAQAAAB4AAABv
d25lci1tb2Rzc2wtdXNlcnNAbW9kc3NsLm9yZwAAAAIBWwABAAAAWQAAAAAA AACBKx+kvqMQGZ1u
AN0BD1QCAAAAAG93bmVyLW1vZHNzbC11c2Vyc0Btb2Rzc2wub3JnAFNNVFAA b3duZXItbW9kc3Ns
LXVzZXJzQG1vZHNzbC5vcmcAAAAAAgFcAAEAAAAjAAAAU01UUDpPV05FUi1N T0RTU0wtVVNFUlNA
TU9EU1NMLk9SRwAAHgBdAAEAAAANAAAAT2xhZiBHZWxsZXJ0AAAAAAIBXgAB AAAAOwAAAAAAAACB
Kx+kvqMQGZ1uAN0BD1QCAAAAAE9sYWYgR2VsbGVydABTTVRQAG9nQHByZS1z ZWN1cmUuZGUAAAIB
XwABAAAAFgAAAFNNVFA6T0dAUFJFLVNFQ1VSRS5ERQAAAB4AZgABAAAABQAA AFNNVFAAAAAAHgBn
AAEAAAAeAAAAb3duZXItbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcAAAAeAGgA AQAAAAUAAABTTVRQ
AAAAAB4AaQABAAAAEQAAAG9nQHByZS1zZWN1cmUuZGUAAAAAHgBwAAEAAAAU AAAAbW9kX3NzbDog
U1NMUmVxdWlyZQACAXEAAQAAABsAAAABxljDzu4/IV4byW1B0qrRms0r5725 AAD07LQAHgB0AAEA
AAAYAAAAbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcAHgAaDAEAAAAQAAAAU2No YXVkdCwgT2xpdmVy
AB4AHQ4BAAAAFAAAAG1vZF9zc2w6IFNTTFJlcXVpcmUAAgEJEAEAAADPAwAA ywMAAGAGAABMWkZ1
76gvjwMACgByY3BnMTI14jIDQ3RleAVBAQMB9/8KgAKkA+QHEwKAD/MAUARW PwhVB7IRJQ5RAwEC
AGNo4QrAc2V0MgYABsMRJfYzBEYTtzASLBEzCO8J97Y7GB8OMDURIgxgYwBQ swsJAWQzNhZQC6Yg
CuNBCoA+T2xpdgSQLoJTE9F1ZHRAdQMByG9nLgEAIHcDYA6wYjodBT4gUASQ E+BwhnMfZxzgU1NM
VgZyPHlDHYAJ8AVAGCBxdW5pGCAfZx9nRAEQHhBs7wVABAAgbyF4bgIgInUd BRxHbwRwJBABAGEs
IMRidQVAIHRoBAAkERogFBEgB0AYIGFkefQgKB8gaASQA/Ee4Clh1R0FYyG0 dwhgbCcwJfC/KKEn
wClwAjAhcR7waSgAuSniIGMEkCwBDeBhDrBeKR0FAhAFwCgDdiJQdAJ1B0Ag aG9zdC7lBdBvLqBu
ZyQQJAECMCpvLJNkIlFjMEByebcdBRQQMPBpAiAwoG8Hkd8rYhPRL8Ae4ABw eSgBL8HuZSxhHbEQ
wG4nMCFEI6A9BTBoHQUoVCeQMEBvLvM2UCY6SG8H4AEANPAoQhk0iSA/HPUd BEkga68l8AfgL/ED
8GwDIGIzEc0noGkv0C0wbGUnlC4XGnAIcHAvMAeRaSB1PynCMFEIcAOgAiAd BCJMeR6gTGUdoAMg
I6AnsGc+IifxA5EsogSQA2ByX/8ekTo2BaAHgC6QBJApIB2htwbgFBA2dVQp cR7gQQqwPxPQHuE6
Ug6wOmEGkCB5uQhhICIOsC9APQFyPzDzOkZDAWNrCYA9sAXAK2KTNnsdYWFm JjpieSYrpx10Jjod
BC0tHPVEBSDQbC5Jbi4RbS9gR2I8IEdDoSzxJMFNDVBSYEVTRUNVTiApMFJv LZUGYAMABbFSB5An
cHL9QwFyJ5BQb1DDCFAAgCPh1S+yRwbQSB0EUC8gJhACOikwKzQ5KSAwdDcw FlAvTglQyB6gQPpw
GCAtMbEIcEHwAQAmOttQz1fVQTCgC3BsQXEIkL8H4DIBS7AOsASgKJFBAkDd ANBrJDVX31u1aAJA
IEDQOi8vd11ALgWQAJD1ACAuWjEvFBAAgAWwWjG9JjpfX49gn2GvYr9fHQSf QtVZ4yPALOA9Mk9w
CfDXIREpMARhXwQQbFPQZp+vHvBdUQRhZlEuBbBnHQRmVUTBBgB1cDyATNFN e1kRL7JMBABM72rk
aAQt6USyc0BoDkEnwANxDrDnJzBqU2nQbmEzAAXAby/5a1lhagWwMjAEYGy/ HQQCfXLwAB4ANRAB
AAAAOwAAADw5QjRFMzdEQ0I4RDU3RDQwOEZGOTYwQjUzNkYwRTUyNzQzMzEw MEBtczAxMDEyLmF2
aW5jaS5kZT4AAB4ARxABAAAADwAAAG1lc3NhZ2UvcmZjODIyAAALAPIQAQAA AB8A8xABAAAAQAAA
AFIARQAlADMAQQAgAG0AbwBkAF8AcwBzAGwAJQAzAEEAIABTAFMATABSAGUA cQB1AGkAcgBlAC4A
RQBNAEwAAAALAPYQAAAAAEAABzDPaKGix1jGAUAACDAXY30dyFjGAQMA3j+v bwAAAwDxPwcEAAAe
APg/AQAAABAAAABTY2hhdWR0LCBPbGl2ZXIAAgH5PwEAAABbAAAAAAAAANyn QMjAQhAatLkIACsv
4YIBAAAAAAAAAC9PPUFWSU5DSS9PVT1GSVJTVCBBRE1JTklTVFJBVElWRSBH Uk9VUC9DTj1SRUNJ
UElFTlRTL0NOPU0wNTQ3AAAeAPo/AQAAABUAAABTeXN0ZW0gQWRtaW5pc3Ry YXRvcgAAAAACAfs/
AQAAAB4AAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAALgAAAAMA/T/k BAAAAwAZQAAAAAAD
ABpAAAAAAAMAHUAAAAAAAwAeQAAAAAAeADBAAQAAAAYAAABNMDU0NwAAAB4A MUABAAAABgAAAE0w
NTQ3AAAAHgAyQAEAAAAeAAAAb3duZXItbW9kc3NsLXVzZXJzQG1vZHNzbC5v cmcAAAAeADNAAQAA
ABEAAABvZ0BwcmUtc2VjdXJlLmRlAAAAAB4AOEABAAAABgAAAE0wNTQ3AAAA HgA5QAEAAAACAAAA
LgAAAAMAdkD/////CwApAAAAAAALACMAAAAAAAMABhB9hHf7AwAHEOwCAAAD ABAQAQAAAAMAERAA
AAAAHgAIEAEAAABlAAAAT0xJVkVSU0NIQVVEVEBVTklMT0dERVdST1RFOlBF UkhBUFNTU0xWRVJJ
RllDTElFTlRSRVFVSVJFREVGQVVMVElTU1NMVkVSSUZZQ0xJRU5UTk9ORUdP T0RJREVBLEJVVFRI
SQAAAAACAX8AAQAAADsAAAA8OUI0RTM3RENCOEQ1N0Q0MDhGRjk2MEI1MzZG MEU1Mjc0MzMxMDBA
bXMwMTAxMi5hdmluY2kuZGU+AAAZnQ==

------_=_NextPart_001_01C658C8.1D71775A--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl: SSLRequire

Oliver.Schaudt@unilog.de wrote:

> How deep is VerifyDepth ?

I guess this is the wrong direction of error checking.
VerifDepth and VerifyRequire are used in evaluating the
certificate chain on SSL connection establishment, the
SSLRequire expression is evaluated after the HTTP request
is successfully transmitted and the server already knows
which webpage is requested (it's a "directory" section...)

Of course VerifyDepth is sufficient (every value above 2
works in my case, as expected), if it was not, the error
would be something like "unable to get issuer certificate",
because evaluation starts at the leaf (= client certificate)
going up to the root CA cer.

> I know it will be a big file, but for this purposes i use to turn on
> "LogLevel Debug" than the error_log will become very verbose.
> There Apache will tell if your "testuser" will be checked or not .

How would that look like? I see at the connection
establishment:

[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root,
issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA
01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User
Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01

After many bytes of packet dump I see the HTTP request
arrived:

[Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for child 0 (server www.testserver.de:443)

and then again lots of bytes (the webpage that is delivered).
Nothing about the check of SSLRequire...

Thanx for your help anyways. :-) I guess the next step
will be stracing the whole thing...

--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org