Ich hab folgendes Problem:
Ich habe einen VirtualHost, wo sich der User per Zertifikat authentifizieren muss. Das alles klappt auch soweit, nur Apache scheint die CRL nicht zu beachten und lässt auch die Zertifikate, welche in der CRL aufgelistet sind, zugreifen. Der Server läuft übrigens mit Plesk.
Serverversion: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_python/3.2.10 Python/2.4.4 PHP/5.2.6-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
OpenSSL Version: OpenSSL 0.9.8h (Cygwin)
Errorlog (Debug - nach Startup):
- Code: Select all
[Sun Sep 21 11:02:21 2008] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Sun Sep 21 11:02:21 2008] [info] Configuring server for SSL protocol
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(538): Configuring client authentication
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(1113): CA certificate: /C=DE/ST=Deutschland/L=Oberhausen/O=My Private CA/OU=My Private CA/CN=My Private CA
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(729): Configuring RSA server certificate
[Sun Sep 21 11:02:21 2008] [debug] ssl_engine_init.c(768): Configuring RSA server private key
httpd.include (mod_ssl.c Teil)
- Code: Select all
<IfModule mod_ssl.c>
SSLRandomSeed startup /dev/urandom 2048
SSLRandomSeed connect /dev/urandom 2048
<VirtualHost 78.46.77.47:443>
ServerName intra.habboradio.ch:443
SuexecUserGroup intra psacln
ServerAdmin webmaster@habboradio.ch
LogLevel debug
DocumentRoot /var/www/vhosts/intra.habboradio.ch/httpsdocs
CustomLog /var/www/vhosts/intra.habboradio.ch/statistics/logs/access_ssl_log plesklog
ErrorLog /var/www/vhosts/intra.habboradio.ch/statistics/logs/error_log
<IfModule mod_userdir.c>
UserDir /var/www/vhosts/intra.habboradio.ch/web_users
</IfModule>
ScriptAlias /cgi-bin/ /var/www/vhosts/intra.habboradio.ch/cgi-bin/
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /opt/psa/var/certificates/cert-mcpyh9
SSLCACertificateFile /opt/psa/var/certificates/cert-lGlK9e
<Directory /var/www/vhosts/intra.habboradio.ch/httpsdocs>
<IfModule mod_perl.c>
<Files ~ (\.pl$)>
SetHandler perl-script
PerlHandler ModPerl::Registry
Options ExecCGI
allow from all
PerlSendHeader On
</Files>
</IfModule>
<IfModule mod_perl.c>
<Files ~ (\.asp$)>
SetHandler perl-script
PerlHandler Apache::ASP
PerlSetVar Global /tmp
</Files>
</IfModule>
<IfModule mod_php4.c>
php_admin_flag engine on
php_admin_flag safe_mode on
php_admin_value open_basedir "/var/www/vhosts/intra.habboradio.ch/httpsdocs:/tmp"
</IfModule>
<IfModule mod_php5.c>
php_admin_flag engine on
php_admin_flag safe_mode on
php_admin_value open_basedir "/var/www/vhosts/intra.habboradio.ch/httpsdocs:/tmp"
</IfModule>
<IfModule mod_python.c>
<Files ~ (\.py$)>
SetHandler python-program
PythonHandler mod_python.cgihandler
</Files>
</IfModule>
<IfModule mod_fcgid.c>
AddHandler fcgid-script .fcgi
Options +FollowSymLinks +ExecCGI
</IfModule>
SSLRequireSSL
Options +Includes +ExecCGI
</Directory>
<Directory /var/www/vhosts/intra.habboradio.ch/web_users>
<IfModule mod_php4.c>
php_admin_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_admin_flag engine off
</IfModule>
</Directory>
Include /var/www/vhosts/intra.habboradio.ch/conf/vhost_ssl.conf
</VirtualHost>
</IfModule>
vhost_ssl.conf
- Code: Select all
SSLCACertificateFile /var/www/vhosts/intra.habboradio.ch/ssl/ca.crt
SSLCARevocationFile /var/www/vhosts/intra.habboradio.ch/ssl/ca.crl
<Directory /var/www/vhosts/intra.habboradio.ch/httpsdocs/>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth
SSLRequire (%{SSL_CLIENT_I_DN_CN} eq "My Private CA")
<IfModule mod_php4.c>
php_admin_flag engine on
php_admin_flag safe_mode off
php_admin_value open_basedir "/var/www/vhosts/intra.habboradio.ch/httpsdocs:/tmp:/var/www/vhosts/habboradio.ch/httpdocs"
</IfModule>
<IfModule mod_php5.c>
php_admin_flag engine on
php_admin_flag safe_mode off
php_admin_value open_basedir "/var/www/vhosts/intra.habboradio.ch/httpsdocs:/tmp:/var/www/vhosts/habboradio.ch/httpdocs"
</IfModule>
SSLOptions +StdEnvVars +ExportCertData
</Directory>
Ich hänge schon seit Tagen an diesem Problem - ich finde einfach nicht, was mit dem Apache los ist.
Für Hilfe wäre ich sehr dankbar!