Dominique Lohez wrote:
> You use the directive
> Order deny allow
> so the deny directives are evaluated before the alow directives
> and furthermore every thing which is not denied is allowed
>
> I suggest you should use the
> Order Allow, deny directive
> so that everything which is not allowed is denied
Thanx for this hint. I changed it to "allow, deny" but
it does not change the result: The server still grants
access to the wrong certificate. Hmmm...
Still don't know what I am doing wrong. Here's my complete
actual config (if someone really would want to look at it)
;-) Seems as if the SSLRequire never comes into effect
(even if I compare the CN with "Foo" instead of "Testuser"
access is allowed)...
Olaf
# Apache configuration
# Loading of modules
LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
LoadModule actions_module
/usr/lib/apache2-prefork/mod_actions.so
LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
LoadModule auth_dbm_module
/usr/lib/apache2-prefork/mod_auth_dbm.so
LoadModule autoindex_module
/usr/lib/apache2-prefork/mod_autoindex.so
LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
LoadModule expires_module
/usr/lib/apache2-prefork/mod_expires.so
LoadModule include_module
/usr/lib/apache2-prefork/mod_include.so
LoadModule log_config_module
/usr/lib/apache2-prefork/mod_log_config.so
LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
LoadModule negotiation_module
/usr/lib/apache2-prefork/mod_negotiation.so
LoadModule setenvif_module
/usr/lib/apache2-prefork/mod_setenvif.so
LoadModule ssl_module /usr/lib/apache2-prefork/mod_ssl.so
LoadModule suexec_module /usr/lib/apache2-prefork/mod_suexec.so
LoadModule userdir_module
/usr/lib/apache2-prefork/mod_userdir.so
LoadModule php5_module /usr/lib/apache2/libphp5.so
##################################################
# Main server config
##################################################
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 20
MaxRequestsPerChild 0
User wwwrun
Group www
<IfDefine SSL>
Listen 127.0.0.1:443
</IfDefine>
Listen 127.0.0.1:80
<IfModule mod_dir.c>
DirectoryIndex index.html
</IfModule>
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
UseCanonicalName On
<IfModule mod_mime.c>
TypesConfig /etc/apache2/mime.types
</IfModule>
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile /etc/apache2/magic
</IfModule>
HostnameLookups Off
ErrorLog /var/log/apache2/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache2/access_log common
ServerSignature Off
ServerTokens productonly
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<Directory />
Options FollowSymLinks
Order allow,deny
deny from all
AllowOverride none
</Directory>
<IfDefine SSL>
<VirtualHost 127.0.0.1:443>
DocumentRoot /home/httpd/htdocs/ssltest
ScriptAlias /cgi-bin /home/httpd/htdocs/cgi-bin
ServerName www.testserver.de:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/apache2/error_www.testserver.de_ssl
TransferLog /var/log/apache2/access_www.testserver.de_ssl
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
SSLCertificateFile /etc/apache2/ssl.ssltest/server-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl.ssltest/server-key.pem
SSLCertificateChainFile /etc/apache2/ssl.ssltest/server-chain.pem
SSLCACertificateFile /etc/apache2/ssl.ssltest/clientcachain.pem
SSLVerifyClient require
SSLVerifyDepth 3
<Location />
Order allow,deny
allow from localhost
AllowOverride none
Satisfy all
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
and %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
</Location>
<Location /home/httpd/htdocs/cgi-bin>
SSLOptions +StdEnvVars
</Location>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_customlog \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
