You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David <cl...@gmail.com> on 2013/09/25 22:01:36 UTC

[users@httpd] Re: Similar issuer dn mod_ssl client authentication issue

Michele Mase' <michele.mase <at> gmail.com> writes:

> 
> 
> 
> 
> 
> 
> 
> 
> 
> I'm testing a client authentication using:SSLCACertificateFile 
/path/to/pemfile.pem<LocationMatch "/test">
> 
> 
>         SSLVerifyClient require        SSLVerifyDepth 2/LocationMatch>
> My env:
> 
> 
> CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3 
(Unix) - Server built:   Feb  7 2013 14:32:46
> 
> 
> 
> I have 2 CA's x509 pem files, bundled.CA1 signs client1 certificate 
filesCA2 signs client2 certificate filesI should use two different CA with a 
similar issuer DN_OU in a bundle (file /path/to/pemfile.pem)
> 
> 
> openssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 
90days/O=Example S.p.A./OU=CA Organization Unit/emailAddress=info <at> 
example.comopenssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 
90days/O=Example S.p.A./OU=CA organization Unit/emailAddress=info <at> 
example.com
> 
> The only difference between 2 CAs is the capital letter in OU field.
> 
> 
> When i try to use this configuration I receive a 403 error:[Mon May 06 
09:33:28.115455 2013] [ssl:error] [pid 5120:tid 139860297901824] [client 
10.0.2.2:59798] AH02261: Re-negotiation handshake failed: Not accepted by 
client!?
> The only way it works is without the SSLRequire directive.
> or
> Using only one CA in the file (file /path/to/pemfile.pem)
> 
> 
> 
> or usingSSLVerifyClient optional|optional_no_ca
> 
> 
> 
> But I'm still unable to retrieve client cert data; I don't know if the 
client is authenticated or not.
> 
> 
> The same configuration using openssl_server works, it seems like an 
uncorrect (or incomplete) mod_ssl openssl's implementation.
> 
> Addendum:
> 
> The bundle file contains CA1 and CA2; client certificates signed by CA1 
(client1) work, client certificates signed by CA2 (client2) don't work.
> 
> If I change the order of the two certificates in the /path/to/pemfile.pem, 
it happens that:The budle file contains CA2 and CA1; client certificates 
signed by CA2 (client2) work, client certificates signed by CA1 (client1) 
don't work.
> 
> The same site under iis works :(
> 
> 
> How could I solve it using apache?
> Some suggestions?
> Regards
> Michele Masè


Hi Michele,

I was wondering if you ever found a solution for this.  I think I am running 
into a similar issue as some of my clients have no trouble using the 
certificate authentication while others can't seem to get it to work.  I too 
have created a bundle file with CA1 and CA2 and I am suspecting that the 
ones signed by the latter is not being recognized.  Any help will be 
appreciated.

Thanks,
David


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org