I've been trying to get Client cert authentication to work with mod_ssl
2.8.4-8 and have everything working bar directory listings. Apparently this
is a bug that goes back over a year now?
Anyway, I think I have a workaround.
Instead of using FakeBasicAuth, I instead use SSLRequire, and change
CustomLog to "fake" the auth entry:
i.e.
LogFormat "%h %l %u %t \"%r\" ....." standard
LogFormat "%h %l SSL:%{SSL_CLIENT_S_DN_EMAIL}e %t \"%r\" ..." ssl-standard
CustomLog /log/access_log standard
#Override the CustomLog setting for valid SSL Client Certs
CustomLog /log/access_log ssl-standard env=SSL_CLIENT_S_DN_EMAIL
<Location ~ "/secure">
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +ExportCertData +CompatEnvVars +StdEnvVars
SSLBanCipher NULL-MD5 NULL-SHA
SSLRequire %{SSL_CLIENT_S_DN_OU} in {"our dep"}
Options none Indexes FollowSymlinks SymLinksIfOwnerMatch
AllowOverride None
order allow,deny
allow from all
</Location>
The only concern I have is that I had to set +StdEnvVars in order to get
SSL_CLIENT_S_DN_EMAIL into the environment. Can I access that some other
way, or is the extra load of adding the env vars not bad enough to be
concerned about?
Also, if anyone thinks that's not going to operate the way I think it should
(i.e. only allow OU="our dep" access) please let me know :-)
Thanks
--
Cheers
Jason Haar
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
