Similar issuer dn mod_ssl client authentication issue

Mon, 13 May 2013 03:34:07 -0700 

I'm testing a client authentication using:

SSLCACertificateFile /path/to/pemfile.pem
<LocationMatch "/test">
        SSLVerifyClient require
        SSLVerifyDepth 2
/LocationMatch>

My env:
CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3
(Unix) - Server built:   Feb  7 2013 14:32:46

I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
CA2 signs client2 certificate files
I should use two different CA with a similar issuer DN_OU in a bundle (file
/path/to/pemfile.pem)

openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *O*rganization Unit/emailAddress=i...@example.com

openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *o*rganization Unit/emailAddress=i...@example.com

The only difference between 2 CAs is the capital letter in OU field.

When i try to use this configuration I receive a 403 error:

[Mon May 06 09:33:28.115455 2013] [ssl:error] [pid 5120:tid
139860297901824] [client 10.0.2.2:59798] AH02261: Re-negotiation handshake
failed: Not accepted by client!?

The only way it works is without the SSLRequire directive.
or
Using only one CA in the file (file /path/to/pemfile.pem)
or using
SSLVerifyClient optional|optional_no_ca
But I'm still unable to retrieve client cert data; I don't know if the
client is authenticated or not.

The same configuration using openssl_server works, it seems like an
uncorrect (or incomplete) mod_ssl openssl's implementation.

Addendum:
The bundle file contains CA1 and CA2; client certificates signed by CA1
(client1) work, client certificates signed by CA2 (client2) don't work.
If I change the order of the two certificates in the /path/to/pemfile.pem, it
happens that:
The budle file contains CA2 and CA1; client certificates signed by CA2
(client2) work, client certificates signed by CA1 (client1) don't work.

The same site under iis works :(

How could I solve it using apache?
Some suggestions?

Regards
Michele Masè

ps: no aswer from apache mailing list :(
I've attached a sample script to create CA's and client certificates.

Attachment: cert-gen.sh
Description: Bourne shell script

Reply via email to