Re: Re: mod_ssl help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

One problem is almost solved!
Two issuer dn are similar but not the same, there is a capital letter in the first dn and a normal letter in the other ...
But something with the authentication is wrong/missing ...
It complains about a refused renegotiation from the client side.
I'm confused, I don't know how to proceed.


On Mon, Mar 4, 2013 at 1:19 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:



On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
What I was trying to point to is this:

# openssl x509 -noout -in /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
        Validity
            Not Before: Aug 28 07:24:33 2008 GMT
            Not After : Dec 31 15:59:59 2030 GMT
        Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
.
.
.

as you can see the DN is coma separated not / separated ....

On the other hand when tested with "openssl s_connect" for one of my certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/...." so sorry for the confusion seams the / separator is correct.

Any way, what does the test "openssl s_client -ssl3 -connect server_name:443" show in your case?



On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.mase@xxxxxxxxx> wrote:
The issuer dn is the same; the pem file is a ca bundle.


On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:


On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@xxxxxxxxx> wrote:
>
> Anyone?
>
>
> On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@xxxxxxxxx> wrote:
>>
>> I'm testing a client authentication using:
>>
>> SSLCACertificateFile /path/to/pemfile.pem
>> <LocationMatch "/test">
>>         SSLVerifyClient require
>>         SSLVerifyDepth 2
>>         SSLOptions +StdEnvVars +ExportCertData
>>         SSLRequire  %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
>> /LocationMatch>
>>
>>
>> I should use two different CA with the same DN (file /path/to/pemfile.pem)
>> When i try to use this configuration I receive:
>> Access totest denied for 10.10.10.10 (requirement _expression_ not fulfilled)
>> Failed _expression_: %{SSL_CLIENT_I_DN} eq ...
>>
>> The only way it works is without the SSLRequire directive.
>> or
>> Using only one CA in the file (file /path/to/pemfile.pem)
>>
>> Some suggestions?
>>
>> Regards
>> Michele Masè
>
>
Please paste the output of

# openssl x509 -noout -in /path/to/pemfile.pem -text

so we know what are we talking about here. If multiple dn in the file why are you trying to match one using eq then? Anyway, the above command will show us the issuer dn string and you can see what are you doing wrong.





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux