SSLRequire

Hi,

I still have trouble configuring apache 2.0 with the
SSLRequire directive. For me it looks like that:

When I have something that allows access (eg.
"allow 192.186.2" and I connect from that
network), than access is allowed (and the
SSLRequire expression has no effect, it is
simply ignored). When I have something that
denies access (eg. "deny all"), than access
is denied (again SSLRequire has no effect).
How are these mechanisms supposed to interact?

I did try "Satisfy any" and "Satisfy all",
and I tried "SSLOptions +StrictRequire",
but no help. I want to restrict access to a
directory of the webserver to only certain
users (= X.509 certificates). Anyone has a
working config for this? At the end of this
mail is a part of my configuration... So Client
authentication is already required, but the
entries from the certificates are not considered
when granting access.

Thanx for any help, cheers, Olaf

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!e NULL
SSLCertificateFile /etc/apache2/ssl.ssltest/server-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl.ssltest/server-key.pem
SSLCertificateChainFile /etc/apache2/ssl.ssltest/server-chain.pem
SSLCACertificateFile /etc/apache2/ssl.ssltest/clientcachain.pem
SSLVerifyClient require
SSLVerifyDepth 3


AllowOverride None
Options FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from 192.168.2 127.0.0.1
SSLRequireSSL
SSLOptions +StdEnvVars +StrictRequire
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )





--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org