On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@xxxxxxxxx> wrote:
>
> Anyone?
>
>
> On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@xxxxxxxxx> wrote:
>>
>> I'm testing a client authentication using:
>>
>> SSLCACertificateFile /path/to/pemfile.pem
>> <LocationMatch "/test">
>> SSLVerifyClient require
>> SSLVerifyDepth 2
>> SSLOptions +StdEnvVars +ExportCertData
>> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
>> /LocationMatch>
>>
>>
>> I should use two different CA with the same DN (file /path/to/pemfile.pem)
>> When i try to use this configuration I receive:
>> Access totest denied for 10.10.10.10 (requirement _expression_ not fulfilled)
>> Failed _expression_: %{SSL_CLIENT_I_DN} eq ...
>>
>> The only way it works is without the SSLRequire directive.
>> or
>> Using only one CA in the file (file /path/to/pemfile.pem)
>>
>> Some suggestions?
>>
>> Regards
>> Michele Masè
>
>
Please paste the output of
# openssl x509 -noout -in /path/to/pemfile.pem -text
so we know what are we talking about here. If multiple dn in the file why are you trying to match one using eq then? Anyway, the above command will show us the issuer dn string and you can see what are you doing wrong.
|