SSLVerifyClient statements causing problems?

SSLVerifyClient statements causing problems?

am 11.09.2002 21:46:56 von Ron Gedye

Hello List....

I searched the archives and saw a few mentions of the error that I am
seeing, but no solid solutions so here goes...


In attempting to use client certificates to provide/restrict access to
certain portions of my website I am encountering problems.

Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.7-b2

I believe my syntax is correct as no errors are reported when starting
apache.
However, the server dies hard (leaving pid file) with the error in both
errorlog & ssl_engine_errorlog of:
"Unable to configure verify locations for client authentication"

This is the only error.

Example of syntax:


SSLVerifyClient none



SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "MyOrg"



I have my SSLCACertificatePath & File set as well as the SSLCARevocation...
(Self signed CA via OpenCA 0.9.1 RC4)

Stumped on this one, (Not hard for a newby) everything was fine before
attempting the access restrictions.

Pointers Please.....

Thanks in advance

Ron

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient statements causing problems?

am 11.09.2002 21:50:58 von Roberto Hoyle

This is a cryptographically signed message in MIME format.

--------------ms030300060901060601050508
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Ron Gedye wrote:
[snip]

>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLOptions +FakeBasicAuth
> SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "MyOrg"
>
>
>
> I have my SSLCACertificatePath & File set as well as the SSLCARevocation...
> (Self signed CA via OpenCA 0.9.1 RC4)
>
> Stumped on this one, (Not hard for a newby) everything was fine before
> attempting the access restrictions.

Just a guess, but doesn't the SSLRequire statement require a close-paren?

r.

--------------ms030300060901060601050508
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIGFDCC
AwYwggJvoAMCAQICAgGMMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYTAlVT MRowGAYDVQQK
ExFEYXJ0bW91dGggQ29sbGVnZTETMBEGA1UECxMKRGFydG1vdXRoMjEcMBoG A1UEAxMTQ2Vy
dGlmaWNhdGUgTWFuYWdlcjAeFw0wMjA4MjkxOTU1MzBaFw0wMzA4MjkxOTU1 MzBaMGUxGjAY
BgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRkwFwYDVQQDExBSb2JlcnRvIEou IEhveWxlMSww
KgYJKoZIhvcNAQkBFh1Sb2JlcnRvLkouSG95bGVARGFydG1vdXRoLmVkdTCB nzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAuuu+U41AzGqC0P89cxpPK86AbCwUjrzI2ZxJ Yw42LrJZbwgD
NQ+wnAHe28l8Jb4VJ53fq8nA/1jJPg+J0xxpeyrvmy8Oiv9wXyPg/GiQHqto dIpPNTIXFuy1
M1NMNn9q4i3wOczD0wk0bjOCf3S2jUAMRrOdFwbtEZRvjrQKxVkCAwEAAaOB zTCByjAOBgNV
HQ8BAf8EBAMCBeAwEQYJYIZIAYb4QgEBBAQDAgWgMEUGA1UdEQQ+MDyBHVJv YmVydG8uSi5I
b3lsZUBEYXJ0bW91dGguZWR1gRtyb2JlcnRvLmhveWxlQERhcnRtb3V0aC5F RFUwHwYDVR0j
BBgwFoAUoFg63z1FHo7cj9kkaBpoGAKnXvwwPQYIKwYBBQUHAQEEMTAvMC0G CCsGAQUFBzAB
hiFodHRwOi8vemVybWF0dC5kYXJ0bW91dGguZWR1L29jc3AwDQYJKoZIhvcN AQEFBQADgYEA
rPPhOkJVxiO9O5gDMBeaGxvzIchXYiciXSaFXflm7B9PbnFdhCMJHg40TjVw 9OfrPjxedVg3
eHsG59CWccIVsJ/RCl0X6ntgQLn2U5olqt+3F25NAzCBzjFQajksBDe1rhhG 9i9+8EmOH6Vg
UuUFPnut0DeKMx5hT9rv0Kv0//IwggMGMIICb6ADAgECAgIBjDANBgkqhkiG 9w0BAQUFADBc
MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxEzAR BgNVBAsTCkRh
cnRtb3V0aDIxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDIw ODI5MTk1NTMw
WhcNMDMwODI5MTk1NTMwWjBlMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVn ZTEZMBcGA1UE
AxMQUm9iZXJ0byBKLiBIb3lsZTEsMCoGCSqGSIb3DQEJARYdUm9iZXJ0by5K LkhveWxlQERh
cnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALrrvlON QMxqgtD/PXMa
TyvOgGwsFI68yNmcSWMONi6yWW8IAzUPsJwB3tvJfCW+FSed36vJwP9YyT4P idMcaXsq75sv
Dor/cF8j4PxokB6raHSKTzUyFxbstTNTTDZ/auIt8DnMw9MJNG4zgn90to1A DEaznRcG7RGU
b460CsVZAgMBAAGjgc0wgcowDgYDVR0PAQH/BAQDAgXgMBEGCWCGSAGG+EIB AQQEAwIFoDBF
BgNVHREEPjA8gR1Sb2JlcnRvLkouSG95bGVARGFydG1vdXRoLmVkdYEbcm9i ZXJ0by5ob3ls
ZUBEYXJ0bW91dGguRURVMB8GA1UdIwQYMBaAFKBYOt89RR6O3I/ZJGgaaBgC p178MD0GCCsG
AQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL3plcm1hdHQuZGFydG1v dXRoLmVkdS9v
Y3NwMA0GCSqGSIb3DQEBBQUAA4GBAKzz4TpCVcYjvTuYAzAXmhsb8yHIV2In Il0mhV35Zuwf
T25xXYQjCR4ONE41cPTn6z48XnVYN3h7BufQlnHCFbCf0QpdF+p7YEC59lOa JarftxduTQMw
gc4xUGo5LAQ3ta4YRvYvfvBJjh+lYFLlBT57rdA3ijMeYU/a79Cr9P/yMYIC MjCCAi4CAQEw
YjBcMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2Ux EzARBgNVBAsT
CkRhcnRtb3V0aDIxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXICAgGM MAkGBSsOAwIa
BQCgggEmMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTAyMDkx
MTE5NTA1OFowIwYJKoZIhvcNAQkEMRYEFNtkWtKwkN5hXvDlg9pSCAEtH2ky MFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHMGCyqGSIb3DQEJEAILMWSgYjBcMQsw CQYDVQQGEwJV
UzEaMBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxEzARBgNVBAsTCkRhcnRt b3V0aDIxHDAa
BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXICAgGMMA0GCSqGSIb3DQEBAQUA BIGAkqJrzNFS
7ppae97Za1quqO6QKUZL+GxtUbJywQFTK/lTosjMLL7QepMd8CPBSullhvSg KS/UlwlfLrMN
mb6BphVba2NB3qHTc9FDH4NPlxl2Kd9c2pwbrUHz/51KJX68lp1dEkrGtitZ wNQW7Dk5AEA8
kMh+X1s9txdRHTtNXnIAAAAAAAA=
--------------ms030300060901060601050508--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient statements causing problems?

am 11.09.2002 22:15:11 von Ron Gedye

Typo in my email, ( modified from actual syntax) should read:
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "MyOrg" )
----- Original Message -----
From: "Roberto Hoyle"
To:
Sent: Wednesday, September 11, 2002 2:50 PM
Subject: Re: SSLVerifyClient statements causing problems?


> Ron Gedye wrote:
> [snip]
>
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 1
> > SSLOptions +FakeBasicAuth
> > SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "MyOrg"
> >
> >
> >
> > I have my SSLCACertificatePath & File set as well as the
SSLCARevocation...
> > (Self signed CA via OpenCA 0.9.1 RC4)
> >
> > Stumped on this one, (Not hard for a newby) everything was fine before
> > attempting the access restrictions.
>
> Just a guess, but doesn't the SSLRequire statement require a close-paren?
>
> r.
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org