>> So, I added this to my apache.conf > > <Location /secure> > SSLRequire ( true ) > </Location> > [snip] > The problem is, after adding that configuration line, I can still go to > /secure with my browser, and it doesn't start a SSL session. I don't > understand this at all - it seems really easy ... sslREQUIRE leads me to > believe that the directory or file specified would open in the browser as > SSL, and if the browser doesn't support it, it would not let it open at all > (because it is required). I understand your confusion completely - that's exactly how I'd have thought it would work: if you use an http:// URL then you get an insecure connection, whereas if you use an https:// URL for the same web pages then you get SSL. However, my understanding is that to *stop* an "http://" URL from being obeyed by your webserver you have to actually *change* the URL on receipt to the equivalent "https://" URL within your webserver on the fly, *every* time a client browser tries the http:// version. The standard method for doing this seems to be to make use of the mod_rewrite Apache module. As far as I can see, the SSLRequire directive doesn't actually do anything at all. But I must be missing something ... :-( I''ve never done any of this, so I can't advise you on the use of mod_rewrite. And I too would be really grateful if Someone Who Understands could explain the use of SSLRequire. Cheers, Nick Systems Team, EDS Healthcare, Bristol, UK Internet email: [EMAIL PROTECTED] | tel: +44 117 989 2941 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
