SSLRequire %{SSL_CLIENT_S_DN_CN}

mod-ssl

Q1)
I'm new to Apache HTTP Server, I'm trying to configure the SSLRequire for particular contexts. Below are the 2 cases:

a) Checking against CA-Signed Certificate's attributes, it is working as expected:

<Location /https_ca_ba/getItem1>
 SSLVerifyClient require
 SSLVerifyDepth  10
 SSLRequireSSL
 SSLRequire    %{SSL_CLIENT_S_DN_O}  eq "My Org" \
               and %{SSL_CLIENT_S_DN_OU} eq "My Team" \
               and %{SSL_CLIENT_S_DN_CN} eq "<ca-signed-cert>.mycompany.com"
 RequestHeader set Authorization "Basic <base64string>"
 ProxyPass https://internal_host:443/ws/soap/getItem
 ProxyPassReverse https://internal_host:443/ws/soap/getItem
</Location>

b) Checking against Self-Signed Certificate. However, I got the error "AH02229: access to proxy:https://:443/ws/soap/getItem failed, reason: SSL requirement expression not fulfilled". I double check, the CN name configured is correct:

<Location /https_ca_ba/getItem2>
 SSLVerifyClient  none
 SSLRequire    %{SSL_CLIENT_S_DN_CN} eq "<self-signed-cert>.mycompany.com"
 RequestHeader set Authorization "Basic <base64string>"
 ProxyPass https://internal_host:443/ws/simple/getItem
 ProxyPassReverse https://internal_host:443/ws/simple/getItem
</Location>

Did I configured wrongly?

Q2) Is there any way to configure client cert authentication in Apache HTTP Server? External party will provide the certificate.

Could you please advise?

Thanks

Regards,
Damon

Best Answer

Missing brackets for SSLRequire

SSLRequire   ( %{SSL_CLIENT_S_DN_O}  eq "My Org" \
           and %{SSL_CLIENT_S_DN_OU} eq "My Team" \
           and %{SSL_CLIENT_S_DN_CN} eq "<ca-signed-cert>.mycompany.com" )