My problem is accurately Here. How could I use the 'Satisfy Any'
directive to check that client certificate is valid and have some
specific field.
Is 'Satisfy Any' compatible with
'SSLVerifyClient/SSLVerifyDepth/SSLRequire' directive ?
All my try to mix both brings me to an "Internal Server Error" display.
Relevant part of such a test:
SSLVerifyClient optional
SSLOptions +StdEnvVars +OptRenegotiate
<Location />
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 5
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "European Space Agency"
and %{SSL_CLIENT_S_DN_OU} eq "DGC-C" )
Order deny,allow
Require IP 10.0.0.8
Satisfy any
</Location>
May be it's possible to test an environment variable set by
SSLVerifyClient such as SSL_CLIENT_VERIFY = SUCCESS.
I have no more idea so any one is welcome !
Zentoo
On Thu, 2013-03-14 at 08:08 -0400, Yehuda Katz wrote:
> I am not near my computer, so I can't test this, but I believe what
> you are looking for is the "Satisfy Any" directive.
> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>
>
> - Y
>
> On Thursday, March 14, 2013, Jean-Francois Maeyhieux wrote:
> Hello everyone !
>
>
> My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the
> website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the
> content
>
>
> I know how to achieve each access way but not both in the same
> time.
> How could I write a vhost to accept connection from specifics
> IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't
> accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
> SSLEngine on
>
>
> SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
>
> SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
> SSLProtocol -SSLv2 -SSLv3 +TLSv1
> SSLHonorCipherOrder on
> SSLCipherSuite
>
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>
> ServerName www.toto.com
> DocumentRoot /var/www/htdocs
>
> ErrorLog /var/logs/ssl_error_log
> CustomLog /var/logs/ssl_access_log combined
>
> <Location />
> SSLRequireSSL
> # Note that SSLVerifyClient optional brings MS
> IE incompatibility
> SSLVerifyClient optional
> SSLVerifyDepth 5
> SSLOptions OptRenegotiate
> SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T",
> "X.Y.Z.U", "A.B.C.D") \
> or ( %{SSL_CLIENT_S_DN_O} eq
> "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> --
> Sent from a gizmo with a very small keyboard and hyper-active
> auto-correct.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
