https://bz.apache.org/bugzilla/show_bug.cgi?id=64368
Bug ID: 64368 Summary: SSLVerifyClient in location context broken Product: Apache httpd-2 Version: 2.4.43 Hardware: PC OS: FreeBSD Status: NEW Severity: regression Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: apache.4d...@nospam.spacesurfer.com Target Milestone: --- At some point between version 2.4.41 (working) and 2.4.43 (not working) existing SSLVerifyClient functionality broke. If I use the configuration: <VirtualHost ... SSLVerifyClient none SSLCACertificateFile /usr/local/etc/apache24/clientCA.pem <Location /s> SSLVerifyClient require SSLVerifyDepth 4 SSLOptions StdEnvVars </Location> </VirtualHost> In 2.4.41 I can visit a secure web page that is not in the /s location without a client certificate, if I visit anything in the /s location I am required to have the correct client certificate or I will get permission denied. As of 2.4.43, I can no longer visit anything in the /s location, I always get permission denied, anything not in the /s location is still permitted. If I remove the <Location> section and use SSLVerifyClient require at the top level, then I can only see the secure website with the correct client certificate as expected. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org