Olaf Gellert wrote:
Hi,somewhat off topic, but as there are so many users of Apache/ModSSL around here (and I already asked on the modssl mailing list): I want an Apache SSL server to request client authentication. This works. Additionally I want to restrict access only to certain users with a valid certificate. So I use SSLRequire for the document root directory of the server: SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire <Directory "/home/apache/htdocs/ssltest"> AllowOverride None Options +FollowSymLinks +Includes Satisfy all Order deny,allow Deny from all Allow from localhost SSLVerifyClient require SSLVerifyDepth 3 SSLRequireSSL SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \ && %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \ && %{SSL_CLIENT_S_DN_CN} eq "Testuser" ) </Directory> But I can still access the server with a client certificate that has "testuser2" (different from "Testuser"!) as SSL_CLIENT_S_DN_CN (this certificate was issued by the correct CA, but the SSLRequire should deny access). The SSL_CLIENT_S_DN_CN is set correctly in the Apache environment (I print that on the webpage using the SSI command "printenv"). What else could I have missed? Thanx for help, cheers, Olaf
You use the directive Order deny allow so the deny directives are evaluated before the alow directives and furthermore every thing which is not denied is allowed I suggest you should use the Order Allow, deny directive so that everything which is not allowed is denied -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
