RE: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location?
SSLVerifyClient is documented as working in directory context, so it should also work in Location context. The manual page for mod_ssl does explicitly say that a SSL renegotiation is triggered if a request for the location is received. Then this is a bug, because it doesn't work for Location Simple test scenario is : 1. access document root location - SSLVerifyClient optional , cance certificate choice window. 2. access location Location /auth with SSLVerifyClient require - no triggered SSL negotiation - access without certificate granted. So the answer to the question : Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location? it is a bug : ) Axel-Stéphane SMORGRAV [EMAIL PROTECTED] 29.08.2005 17:06 Please respond to users@httpd.apache.org To users@httpd.apache.org cc Subject RE: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location? SSLVerifyClient is documented as working in directory context, so it should also work in Location context. The manual page for mod_ssl does explicitly say that a SSL renegotiation is triggered if a request for the location is received. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient -ascs From: Yefym Dmukh [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 3:54 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location? Hi guys , please point me if it possible to the docu, cannot find anything related to the topic. here is an example: VirtualHost SSLVerifyClient optional Alias /auth /htdocs/authorisation Location /auth SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars SSLVerifyDepth 5 Options None /Location /VirtualHost Best Regards , Yefym - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location?
On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote:
SSLVerifyClient is documented as working in directory context, so it
should also work in Location context. The manual page for mod_ssl does
explicitly say that a SSL renegotiation is triggered if a request for the
location is received.
Then this is a bug, because it doesn't work for Location
Simple test scenario is :
1. access document root location - SSLVerifyClient optional , cance
certificate choice window.
2. access location Location /auth with SSLVerifyClient require - no
triggered SSL negotiation - access without certificate granted.
That should not happen, it would be a serious security issue if it did.
I'd suspect you're seeing a cached session being reused if you're seeing
access granted to a location with SSLVerifyClient require.
Please can you confirm this: add %{SSL_CLIENT_S_DN}x to some CustomLog
line so that you can log whether the client cert is actually being
picked up or not for access to the protected location.
If this isn't working properly it's something we need to get fixed, but
I can't reproduce any problems here.
Regards,
joe
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location?
Hi guys , please point me if it possible to the docu, cannot find anything related to the topic. here is an example: VirtualHost SSLVerifyClient optional Alias /auth /htdocs/authorisation Location /auth SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars SSLVerifyDepth 5 Options None /Location /VirtualHost Best Regards , Yefym
RE: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location?
SSLVerifyClient is documented as working in directory context, so it should also work in Location context. The manual page for mod_ssl does explicitly say that a SSL renegotiation is triggered if a request for the location is received. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient -ascs From: Yefym Dmukh [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 3:54 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in VirtualHost overrides the same in Location? Hi guys , please point me if it possible to the docu, cannot find anything related to the topic. here is an example: VirtualHost SSLVerifyClient optional Alias /auth /htdocs/authorisation Location /auth SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars SSLVerifyDepth 5 Options None /Location /VirtualHost Best Regards , Yefym - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
