For limiting the CA's you accept, look into the directive SSLCADNRequestFile.
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile regards, tt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 31, 2007 9:23 AM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] mod_ssl and client cert Hello everyone. I've an apache 2.2.4 up and running! I've this configuration in my ssl.conf file: Listen xxx.xxx.xxx.xxx:443 <VirtualHost xxx.xxx.xxx.xxx:443> ServerName xxx.xxx.xxx.xxx:443 ErrorLog /opt/CHROOT/HTTPD-2.2.4/logs/error_log TransferLog /opt/CHROOT/HTTPD-2.2.4/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.cert.temp SSLCertificateKeyFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.key.temp SSLCACertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/ProgettieServizi.cer <Location /> SSLVerifyClient require SSLVerifyDepth 10 SSLRequire %{SSL_CLIENT_I_DN_CN} eq "manuciao" </Location> </VirtualHost> As you can see I want client authentication but with this configuration the server doesn't ask certificate for the browser. If I move SSLVerifyClient and SSLVerifyDepth out of the location directive the server ask client cert but then it seems that the filter doesn't work. And the server ask me a cert I select it from my browser list and it is not signed from a CA with a common name "manuciao" but the server doesn't stop me from serving a page. How Can I see SSL_CLIENT_I_DN_CN value? I've turn the debug on but I can't see anything for this variable. If I want a configuration where the server asks for client certificates for specific url and accepts only the one with a specific CA or a specific common name what have I to do???? What is the configuration in my ssl.conf file? Pleas let me know! Thanks in advance Manuela Vorazzo "Dale Ogilvie" <[EMAIL PROTECTED]> 31/05/2007 04.15 Please respond to users@httpd.apache.org To <users@httpd.apache.org> cc Subject [EMAIL PROTECTED] mod_proxy_balance never recovers from a worker error with stickysession Hello, I am running Apache 2.2.3 on RedHat EL 5. I am trying to use Apache to load balance between two local instances of tomcat in order to utilize the vast quantities of RAM on our production server. My httpd setup looks like this: <Proxy balancer://tomcat> BalancerMember ajp://localhost:8009 min=10 max=100 route=tomcat1 loadfactor=1 retry=120 BalancerMember ajp://localhost:8010 min=10 max=100 route=tomcat2 loadfactor=1 retry=120 </Proxy> <Location /balancer-manager> SetHandler balancer-manager Order deny,allow Deny from all Allow from .trimblecorp.net </Location> ProxyPass /dscgi/ds.py/ balancer://tomcat/docushare/dsweb/ stickysession=JSESSIONID nofailover=On ProxyPass /docushare balancer://tomcat/docushare stickysession=JSESSIONID nofailover=On ProxyPass /docushare/ balancer://tomcat/docushare/ stickysession=JSESSIONID nofailover=On The problem is that if one of the workers gets into error status, any client with a JSESSIONID referencing that route is never able to receive a reply, Apache *always* responds with a 503 - Temporarily unavailable, *until* another request is successful. I expected with "retry=120" that after 120 seconds the client would be able to use the errored out worker, but this is *not* the case. Test case: 1. Start tomcats 2. Access /docushare, this succeeds and returns a JSESSIONID cookie referencing the member e.g. JSESSIONID=BC90C156669FDF0194657FF27EC3AF99.tomcat2 3. Stop tomcats to simulate a backend failure 4. Access /docushare again in the same browser session, this fails with a 503 error (as expected). Balance-manager shows tomcat1 is OK, and tomcat2 is Err Error_log shows: All workers are in error state for route (tomcat2) 5. Start tomcats again 6. Wait for 120+ seconds to allow retry=120 to take effect 7. Access /docushare *using the session with the tomcat2 cookie*, expect success, get 503 error. I can repeat this step ad nauseam without ever getting a successful response. Error_log shows: All workers are in error state for route (tomcat2) 8. To resolve the issue, delete the JSESSIONID cookie from the client or open up a new browser and access /docushare. Either of these seem to solve the problem for the "cookied" browser session. 9. Access /docushare, this succeeds, balance-manager shows both tomcat1 and tomcat2 are now OK even though the cookie returned to this request is for *tomcat1*. So I would expect that the balance would retry the errored path successfully "retry" seconds after the failure. Is this a bug or do I have some misunderstanding and/or misconfiguration? Regards -- Dale Ogilvie Senior Software Engineer Trimble Navigation NZ Ltd P O Box 8729 Riccarton Christchurch Ph: +64 3 9635344 Fax: +64 3 9635317 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] *******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinatario o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
