Oliver.Schaudt@unilog.de wrote:

> How deep is VerifyDepth ?


I guess this is the wrong direction of error checking.
VerifDepth and VerifyRequire are used in evaluating the
certificate chain on SSL connection establishment, the
SSLRequire expression is evaluated after the HTTP request
is successfully transmitted and the server already knows
which webpage is requested (it's a "directory" section...)

Of course VerifyDepth is sufficient (every value above 2
works in my case, as expected), if it was not, the error
would be something like "unable to get issuer certificate",
because evaluation starts at the leaf (= client certificate)
going up to the root CA cer.

> I know it will be a big file, but for this purposes i use to turn on
> "LogLevel Debug" than the error_log will become very verbose.
> There Apache will tell if your "testuser" will be checked or not .


How would that look like? I see at the connection
establishment:

[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root,
issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA
01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root
[Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User
Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01

After many bytes of packet dump I see the HTTP request
arrived:

[Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for child 0 (server www.testserver.de:443)

and then again lots of bytes (the webpage that is delivered).
Nothing about the check of SSLRequire...

Thanx for your help anyways. :-) I guess the next step
will be stracing the whole thing...

--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org