Hello!
Sorry: I post again my previous message for and important addendum.
I installed Apache/1.3.3 (Win32) mod_ssl/mod_ssl/2.1b8 SSLeay/0.9.0b.
I configured Apache to access a directory with the basic authentication
scheme (using htpasswd.users and htaccess file). The ".htaccess" file
is:
deny from all
AuthType Basic
AuthUserFile "/httpd/etc/htpasswd.users"
AuthName "special directory"
require valid-user
satisfy any
If I try to access the protected directory using the normal http
protocol (using the url http://127.0.0.1/Protected"), everything works
fine: the user/password window pops up, I give the correct user/password
sequence and Apache correctly lets me enter.
If I try to access the protected directory using the *https* protocol
(using the url https://127.0.0.1/Protected), the user/password window
pops up, I give the correct user/password sequence, but the Apache
server just wait few minutes and then Netscape shows me a window with
"No response from the server".
The SSL section in http.conf is the following:
=====================================================================
DocumentRoot "/httpd/htdocs"
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error.log
TransferLog logs/access.log
CustomLog logs/ssl_request.log "%t %h %{version}c %{cipher}c
\"%r\" %b
%{subjectdn}c %{issuerdn}c"
SSLEngine on
[...snip... certificate stuff ...snip...]
SSLoptions -FakeBasicAuth
# Set the file containing CA certificates which are sent to the
# client on an `SSLv3 write certificate request A'. This is
# used with SSLv3 certificate chaining where the client loads
# intermediate certificates in the chain from the server to
# speedup processing of the server authentication. This
# defaults to SSLCACertificateFile but can be set to a
# different file when you want to use a different set of
# certificates you sent out to the client.
#SSLCACertificateReqFile c:/apps/apache/conf/ssl.crt/ca-bundle.crt
# Set client verification level: [RECOMMENDED]
# none: no certificate is required
# optional: the client may present a valid certificate
# require: the client must present a valid certificate
# optional_no_ca: the client may present a valid certificate
# but it is not required to have a valid CA
SSLVerifyClient optional_no_ca
# Set how deeply to verify the certificate issuer chain before
# deciding the certificate is not valid. [OPTIONAL]
SSLVerifyDepth 2
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. [OPTIONAL]
#SSLCipherSuite RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
# With SSLRequire you can do access control based on
# arbitrary complex boolean expressions containing
# server variable checks and other lookup directives.
# The syntax is a mixture between C and Perl.
# See the mod_ssl documentation for more details.
#SSLRequire %{SSL_CIPHER} !~ m/^EXP-.*/ and \
# %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
# %{REMOTE_ADDR} =~ m/^1\.2\.3\.[0-9]+$/
=====================================================================
Why basic auth doesn't work with SSL ? Can anyone help me ?
Bye, Achille.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
