Re: mod_ssl: SSLRequire
This is a discussion on Re: mod_ssl: SSLRequire within the Modssl Users forums, part of the Web Server and Related Forums category; Oliver.Schaudt@unilog.de wrote: > How deep is VerifyDepth ? I guess this is the wrong direction of error checking. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-05-2006
|
|||
|
|||
Re: mod_ssl: SSLRequire
Oliver.Schaudt@unilog.de wrote:
> How deep is VerifyDepth ? I guess this is the wrong direction of error checking. VerifDepth and VerifyRequire are used in evaluating the certificate chain on SSL connection establishment, the SSLRequire expression is evaluated after the HTTP request is successfully transmitted and the server already knows which webpage is requested (it's a "directory" section...) Of course VerifyDepth is sufficient (every value above 2 works in my case, as expected), if it was not, the error would be something like "unable to get issuer certificate", because evaluation starts at the leaf (= client certificate) going up to the root CA cer. > I know it will be a big file, but for this purposes i use to turn on > "LogLevel Debug" than the error_log will become very verbose. > There Apache will tell if your "testuser" will be checked or not . How would that look like? I see at the connection establishment: [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01 After many bytes of packet dump I see the HTTP request arrived: [Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for child 0 (server www.testserver.de:443) and then again lots of bytes (the webpage that is delivered). Nothing about the check of SSLRequire... Thanx for your help anyways. :-) I guess the next step will be stracing the whole thing... -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
Linear Mode
