Hi! Following this howto: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html i setup authentication to my secure area, I used a configuration like the "howto", I wrote my subjectDN in the "httpd.passwd" with the defined password, and everything works fine.
httpd.conf --------------------------------------------------------------------------------- SSLVerifyClient none <Directory /usr/local/apache2/htdocs/secure/area> SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificateFile conf/ssl.crt/ca.crt SSLCACertificatePath conf/ssl.crt SSLOptions +FakeBasicAuth SSLRequireSSL AuthName "Snake Oil Authentication" AuthType Basic AuthUserFile /usr/local/apache2/conf/httpd.passwd require valid-user </Directory> --------------------------------------------------------------------------------- httpd.passwd --------------------------------------------------------------------------------- /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA <my subject DN >:xxj31ZMTZzkVA --------------------------------------------------------------------------------- But I have one question. If my SubjectDN is present in the file "httpd.passwd", access is granted, while if the my SubjectDN is not in the "httpd.passwd" file, I am prompted for username and password, as the browser gets a 401 http-status. I think this is misleading for users, as they are accessing the area with their certificate, and whether somebody has been disabled (i.e. deleted form the httpd.passwd), or has no rights for a defined area, he gets a user-password prompt and the "authorization required" page after "n" attempts, depending on the browser configuration. I know the disabled user won't have access anyway, but I am wondering if there is a way to skip this or to provide a 403 http-status instead of 401.
