Hi everyone,
Here's the challenge I'm trying to solve. I'd like to use the
SSLVerifyClient directive to offer better security to users who know
about client certificates, but only for users who opt in to the extra
security.
To make matters more difficult, I'd like to use the same URLs for my
pages regardless of whether they're using client certificates or not.
How would you accomplish this?
I know the first thing everybody is going to think is "If you want it to
be optional, just use 'SSLVerifyClient optional_no_ca'", but that runs
the risk of the user being *asked* for their cert, even if they have no
idea what a client cert is. Sure, they can just hit cancel and get in,
but it looks like a bug to people who don't know better.
I've managed to hack together this little work-around, and it works!
But I'm not sure it's a good idea:
RewriteCond %{HTTP_COOKIE} cert=opt
RewriteRule ^/(.*) /certopt/$1 [NS,PT]
<Location /certopt>
SSLVerifyClient optional_no_ca
SSLOptions +StdEnvVars +ExportCertData
</Location>
Alias /certopt C:/Projects/website
(In the example I'm using a cookie to change whether or not I'm using
the extra verification, under the assumption that the final PHP code
will do proper validation, but I could use any method mod_rewrite supports.)
So basically, I'm using one method of rewriting the URL (mod_rewrite) so
I can pick up the extra SSL directives, then I'm using a *different*
method of URL rewriting (alias) to return the URL to its original state.
Only thing is, I'm not 100% certain that this is actually *supposed* to
work. Can I rely on this working in future versions? Is it a terrible
idea? Is there a better way to do it? Am I going to be forced to learn
the inner workings of mod_ssl and write a patch if I want this feature?
Thanks,
-Rick-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]