SSLRequire %{SSL_CLIENT_S_DN_CN}

Question

Q1) I'm new to Apache HTTP Server, I'm trying to configure the SSLRequire for particular contexts. Below are the 2 cases:

a) Checking against CA-Signed Certificate's attributes, it is working as expected:

<Location /https_ca_ba/getItem1>
 SSLVerifyClient require
 SSLVerifyDepth  10
 SSLRequireSSL
 SSLRequire    %{SSL_CLIENT_S_DN_O}  eq "My Org" \
               and %{SSL_CLIENT_S_DN_OU} eq "My Team" \
               and %{SSL_CLIENT_S_DN_CN} eq "<ca-signed-cert>.mycompany.com"
 RequestHeader set Authorization "Basic <base64string>"
 ProxyPass https://internal_host:443/ws/soap/getItem
 ProxyPassReverse https://internal_host:443/ws/soap/getItem
</Location>

b) Checking against Self-Signed Certificate. However, I got the error "AH02229: access to proxy:https://:443/ws/soap/getItem failed, reason: SSL requirement expression not fulfilled". I double check, the CN name configured is correct:

<Location /https_ca_ba/getItem2>
 SSLVerifyClient  none
 SSLRequire    %{SSL_CLIENT_S_DN_CN} eq "<self-signed-cert>.mycompany.com"
 RequestHeader set Authorization "Basic <base64string>"
 ProxyPass https://internal_host:443/ws/simple/getItem
 ProxyPassReverse https://internal_host:443/ws/simple/getItem
</Location>

Did I configured wrongly?

Q2) Is there any way to configure client cert authentication in Apache HTTP Server? External party will provide the certificate.

Could you please advise?

Thanks

Regards, Damon

score 1 · Answer 1 · edited Jun 26 '20 at 17:31

1

Missing brackets for SSLRequire

SSLRequire   ( %{SSL_CLIENT_S_DN_O}  eq "My Org" \
           and %{SSL_CLIENT_S_DN_OU} eq "My Team" \
           and %{SSL_CLIENT_S_DN_CN} eq "<ca-signed-cert>.mycompany.com" )

edited Jun 26 '20 at 17:31

kenlukas

3,101
2
16
26

answered Jun 26 '20 at 14:40

lieberM

11
1

SSLRequire %{SSL_CLIENT_S_DN_CN}

1 Answers1