[users@httpd] Unexpected request for client certificate on whole site with location/directory-based SSLVerifyClient

Wed, 09 Oct 2013 05:11:08 -0700 

Dear List,

I'm trying to implement SSL-client certificate check for only some selected 
URLs, but some things do not work as expected:

* Although "SSLVerifyClient none" for whole vhost and only " SSLVerifyClient 
require" for location "/test", Firefox on Linux will ask for the certificate on 
all URLs. If I understand correctly, expected behavior would be to trigger 
renegotiation only when location matches.

* When dismissing the request in Firefox in Linux, the unprotected URLs are 
served while protected ones result in (Error code: 
ssl_error_handshake_failure_alert) although I would be nicer to to get a 
"Forbidden" served. But I could live with that also.

* When supplying the certificate via Firefox , content is served as expected.

* IE9 and Firefox on Windows always refuse to serve any page (SSL error) for 
both "/" and "/test" never asking to supply a client certificate.

When connecting using OPENSSL or socat, results are different:

* Content of / is served as expected
* Access to "/test" without certificate returns "Forbidden"
* Access to "/test" with certificate FAILS to return the protected content, 
although renegotiation is present:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported

Does someone known the magic combination of server-side SSL options to get this 
working with as many browsers and OSes as possible?

I've searched for similar problems but failed to find real close hits. Many 
other users got location-based request for client-certificate working but had 
problems with something different afterwards.

Roman



PS: Config snipplet:

  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /etc/apache2/ssl/TestingCA.cert

  <Location /test/>
# Changing this from none to require will make Firefox ask for client 
certificate on any URL, not only /test/.*
    SSLVerifyClient require
# Does not work with/without it anyway
    SSLOptions +OptRenegotiate
  </Location>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to