Hi all,
First of all, thanks for the very good job with openssl. It really rocks !=
!
Now my question:
I'm trying to setup strong authentication via client certificate (belgian e=
id).
You can see my apache config
NameVirtualHost *
<VirtualHost *>
=09ServerAdmin webmaster [at] localhost
=09
=09DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
# SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"
=09<Directory />
=09=09Options FollowSymLinks
=09=09AllowOverride None
=09</Directory>
=09<Directory /var/www/>
=09=09Options Indexes FollowSymLinks MultiViews
=09=09AllowOverride None
=09=09Order allow,deny
=09=09allow from all
=09=09# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right pl=
ace
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
=09</Directory>
=09ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
=09<Directory "/usr/lib/cgi-bin">
=09=09AllowOverride None
=09=09Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
=09=09Order allow,deny
=09=09Allow from all
=09</Directory>
=09ErrorLog /var/log/apache2/error.log
=09# Possible values include: debug, info, notice, warn, error, crit,
=09# alert, emerg.
=09LogLevel info
=09CustomLog /var/log/apache2/access.log combined
=09ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.
[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
Thanks in advance for your help
Fran=E7ois
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
