Hi! I've come across the following:
1. Configure Apache (1.3.33 in this case) to listen with SSL on some port (say 8100). 2. Protect it with mod_auth. 3. Connect to the port with a Web Browser using http:// (not https://!) http://ssl.example.com:8100/ You get the following in error.log: [Fri Jun 3 14:47:46 2005] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page... What Apache actually sends though, is a "401 Authorization Required", so you also get the authentication dialog in the web browser. If you now fill in your Credentials and click the "OK" button your username and password is sent to the server in the clear. The problem with this is, that the user has no actual feedback that he has entered a wrong URL and that the connection to the server is not actually encrypted. An immidiate fix is to SSLRequireSSL, which has the problem that the user does not get the helpful 400 error with the correct link. (I worked around this by using ErrorDocument to redirect the user immediatly to the correct URL... ugly hack, I think.) Is there some (easy) way around this problem that I have not found? Is this even something mod_ssl can influence or must this be fixed in mod_auth? thanks! Christoph Schindler ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]