Hi all --

I'm having some trouble configuring Apache/mod_ssl to do what I want.=20
Perhaps I have some misconceptions that need dispelled. Any help would b=
e
grealy appreciated.

OVERVIEW/GOAL:
I'm retrofitting some Apache servers to require client certificates. Not=
e
that these servers have certificates that are (temporarily) self-signed.=20
Our organization already has a PKI consisting of a self-signed RootCA and
two IssuingCAs. My goal here is to configure my Apache server to require
user certificates issued by IssuingCA2, and to refuse access to all
others.

Server version: Apache/2.2.3
Server built: Aug 10 2006 17:29:16
OpenSSL 0.9.8b 04 May 2006

THE PROBLEM:
The problem is that I've found only one configuration that will allow a
client to successfully load a page, and in this case, it will also allow
the use of user certificates issued by the other IssuingCA. I find this
baffling, since I haven't told Apache anything about this particular
IssuingCA.

I believe that my problems are centering around the SSLCACertificateFile
directive. See below for my SSL (scrubbed) conf file.

CASE 1:
If I use this invocation, Apache allows certificates from any issuing CA
that has been signed by our Root CA. Note that certchain.cer is a
concatenation of the PEM-encoded certificates for IssuingCA2 and the
RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
next two cases).
SSLCACertificateFile conf/ssl/certchain.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root C=
A
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 0, subject: /CN=3D[SNIP], issuer: [SNIP]Issuing CA 1

CASE 2:
If I use this invocation, Apache will run but will complain (whenever the
protected page is loaded) that it can't find the local issuer certificate=
..
I've tried setting SSLVerifyDepth to 1, but this didn't help anything.=20
The only good thing about this case is that the list of certificates
presented by the remote browser to the user only includes those directly
issued by IssuingCA2.
SSLCACertificateFile conf/ssl/IssuingCA2.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root C=
A
[Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
unable to get local issuer certificate

CASE 3:
If I use this invocation, Apache won't even run. Note that the content o=
f
RootCA.cer is exactly the same content that makes up an essential part of
certchain.cer (see above). AFAIK, this certificate should have format an=
d
content readily useable by Apache. The only special thing about it, is
that it is a self-signed certificate (does that make a difference?)
SSLCACertificateFile conf/ssl/RootCA.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:02:13 2007] [info] Loading certificate & private key of
SSL-aware server
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
RSA private key - pass phrase not required
[Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
SSL context (protocols: SSLv2, TLSv1)
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
client authentication
[Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
for client authentication
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
error:02001005:system library:fopen:Input/output error
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
error:2006D002:BIO routines:BIO_new_file:system lib
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib

HELP:
My expectation here was that I would need to provide the certificate chai=
n
(issuing and root CA) required to authenticate the user certificate, and
that a user certificate issued by any other IssuingCA would fail because =
I
haven't given Apache the IssuingCA's certificate.

Instead, it seems like the server has gained access to the IssuingCA1
certificate (does it do this directly, or does the client send it?), and
is validating that certificate against the RootCA. This seems to happen
when I provided the RootCA in the SSLCACertificateFile, which (as I
understand it) gets sent to the remote client so that it can filter its
list of applicable user certificates.

So, I'm looking for is a way to configure Apache to:
1. Instruct the remote browser to limit the applicable user certificates
to only those issued by IssuingCA2,
2. Avoid the "unable to get local issuer certificate" error
3. Never accept a user certificate issued by IssuingCA1

Could someone please tell me where I've gone wrong, and/or how to achieve
these goals?



CONFIGURATION:
Here's my SSL conf file. It's loaded from httpd.conf:


DocumentRoot [SNIP]
ServerName [SNIP]:443
ServerAdmin [SNIP]
CustomLog virtualhosts/secure/logs/access.log common
ErrorLog virtualhosts/secure/logs/error.log
TransferLog virtualhosts/secure/logs/access.log
LogLevel debug


SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
SSLCertificateFile conf/ssl/[SNIP].crt
SSLCertificateKeyFile conf/ssl/[SNIP].key
SSLCACertificateFile conf/ssl/certchain.cer
SSLVerifyDepth 10

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog virtualhosts/secure/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# Prevent clients from using SSLv3
SSLProtocol all -SSLv3


DocumentRoot [SNIP]/virtualhosts/secure/htdocs

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all



Options FollowSymLinks
AllowOverride None

Order allow,deny
Allow from all



# Per-directory configuration for SSL
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >=3D 128
SSLVerifyClient require



AllowOverride None
Options None
Order allow,deny
Allow from all





__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org