On Mon, Nov 01, 2010 at 04:42:41PM -0400, Jeff Blaine wrote:
...
> [Mon Nov 01 14:50:14 2010] [error] [client xxx.xx.160.29] access
> to /apps/rtsrv1dev/share/html/ failed, reason: SSL requirement
> expression not fulfilled (see SSL logfile for more details)
>
> However, note the "SUCCESS" (bogus?) via CustomLog of
> %{SSL_CLIENT_VERIFY}x
The "SUCCESS" doesn't sound bogus in this context - it merely indicates
whether or not the client cert itself verified OK, which is orthogonal
to SSLRequire.
You're not using the worker MPM here are you?
> Here's what *DOES WORK* for all parties with certificates, but
> is not really what we want, and as I understand the docs, the
> other (full DN) should work.
>
> SSLRequire %{SSL_CLIENT_S_DN_CN} in { \
Yes, the full DN comparison should work; I wouldn't necessarily
recommend it though.
It could be an SSLRequire bug you are hitting here, can't say without
debugging it; if you can verify with vanilla upstream 2.2.17 you could
file a bug at issues.apache.org, or else open a support ticket with Red
Hat for the RHEL5 package.
Regards, Joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|