I'm testing a client authentication using:
SSLCACertificateFile /path/to/pemfile.pem
<LocationMatch "/test">
SSLVerifyClient require
SSLVerifyDepth 2
/LocationMatch>
My env:
CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3 (Unix) - Server built: Feb 7 2013 14:32:46
I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
CA2 signs client2 certificate files
I should use two different CA with a similar issuer DN_OU in a bundle (file /path/to/pemfile.pem)
openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example S.p.A./OU=CA Organization Unit/emailAddress=info@xxxxxxxxxxx
openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example S.p.A./OU=CA organization Unit/emailAddress=info@xxxxxxxxxxx
The only difference between 2 CAs is the capital letter in OU field.
When i try to use this configuration I receive a 403 error:
[Mon May 06 09:33:28.115455 2013] [ssl:error] [pid 5120:tid 139860297901824] [client 10.0.2.2:59798] AH02261: Re-negotiation handshake failed: Not accepted by client!?
The only way it works is without the SSLRequire directive.
or
Using only one CA in the file (
file /path/to/pemfile.pem)
or using
SSLVerifyClient optional|optional_no_ca
But I'm still unable to retrieve client cert data; I don't know if the client is authenticated or not.
The same configuration using openssl_server works, it seems like an uncorrect (or incomplete) mod_ssl openssl's implementation.
Addendum:
The bundle file contains CA1 and CA2; client certificates signed by CA1 (client1) work, client certificates signed by CA2 (client2) don't work.
If I change the order of the two certificates in the /path/to/pemfile.pem, it happens that:
The budle file contains CA2 and CA1; client certificates signed by CA2 (client2) work, client certificates signed by CA1 (client1) don't work.
The same site under iis works :(
How could I solve it using apache?
Some suggestions?