Re: SSL Client Auth with Virtual Hosts

Thu, 02 Jun 2005 07:22:45 -0700 

I'm not a guru but I would suspect that your NameVirtualHost
directives need to differ. You probably need to configure the
virtual hosts using their domain names, like this:
------------------------------------------------------------

NameVirtualHost abc1-no-client-auth.com:443
<VirtualHost abc1-no-client-auth.com:443>
    ...
</VirtualHost>

NameVirtualHost abc1-ssl-client-auth.com:443
<VirtualHost abc1-ssl-client-auth.com:443>
    ...
</VirtualHost>

------------------------------------------------------------
Otherwise I think one will just overwrite the other.
Also for MSIE compatibility it is recommended that you add
the following to the virtual host configuration:
------------------------------------------------------------

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

------------------------------------------------------------
Hope this was helpful.

/Daniel

----- Original Message ----- 
From: "Hoda Nadeem" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, June 02, 2005 3:26 PM
Subject: RE: SSL Client Auth with Virtual Hosts


Are there any parameters that I am missing, or am I doing something
incorrect?

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.

Thanks. 

Nadeem

Example again:

NameVirtualHost 111.111.111.111:443

<Virtualhost 111.111.111.111:443>
    ServerAdmin [EMAIL PROTECTED]
    DocumentRoot /var/www
    ServerName abc1-no-client-auth.com

    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>

<Virtualhost 111.111.111.111:443>
    ServerAdmin [EMAIL PROTECTED]
    DocumentRoot /var/www
    ServerName abc1-ssl-client-auth.com

    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
    SSLOptions +StdEnvVars +ExportCertData
</VirtualHost>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [email protected]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to