https://bz.apache.org/bugzilla/show_bug.cgi?id=64368
Bug ID: 64368
Summary: SSLVerifyClient in location context broken
Product: Apache httpd-2
Version: 2.4.43
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: regression
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
At some point between version 2.4.41 (working) and 2.4.43 (not working)
existing SSLVerifyClient functionality broke. If I use the configuration:
<VirtualHost ...
SSLVerifyClient none
SSLCACertificateFile /usr/local/etc/apache24/clientCA.pem
<Location /s>
SSLVerifyClient require
SSLVerifyDepth 4
SSLOptions StdEnvVars
</Location>
</VirtualHost>
In 2.4.41 I can visit a secure web page that is not in the /s location without
a client certificate, if I visit anything in the /s location I am required to
have the correct client certificate or I will get permission denied.
As of 2.4.43, I can no longer visit anything in the /s location, I always get
permission denied, anything not in the /s location is still permitted. If I
remove the <Location> section and use SSLVerifyClient require at the top level,
then I can only see the secure website with the correct client certificate as
expected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
