Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 46810 invoked from network); 30 Aug 2005 09:18:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 30 Aug 2005 09:18:36 -0000 Received: (qmail 40944 invoked by uid 500); 30 Aug 2005 09:18:35 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 40907 invoked by uid 500); 30 Aug 2005 09:18:35 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 40886 invoked by uid 99); 30 Aug 2005 09:18:34 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Aug 2005 02:18:33 -0700 Received: by ajax.apache.org (Postfix, from userid 99) id D6873127; Tue, 30 Aug 2005 11:18:32 +0200 (CEST) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 12355] - SSLVerifyClient directive in location make post to PHP script impossible X-Bugzilla-Reason: AssignedTo Message-Id: <20050830091832.D6873127@ajax.apache.org> Date: Tue, 30 Aug 2005 11:18:32 +0200 (CEST) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=12355 ------- Additional Comments From yefym.dmukh@gmail.com 2005-08-30 11:17 ------- (In reply to comment #34) > "SSLVerifyClient optional" seems also safe. > Is "SSLOptions +OptRenegotiate" really needed, or is it an optimisation ? > Is it totally safe ? The doc states to use this carefully. The workaround explained above is not safe at least for apache 2.0.52. " RE: [users@httpd] Bug or Feature : global SSLVerifyClient in overrides the same in ? Simple test scenario is : 1. access document root location - "SSLVerifyClient optional" , cancel certificate choice window. 2. access location with "SSLVerifyClient require" - no triggered SSL negotiation - access without certificate granted. Correct should be the following behaviour, but there is no re-negotiation: >SSLVerifyClient is documented as working in directory context, so it should also work in context. The manual page for mod_ssl does >explicitly say that a SSL renegotiation is triggered if a request for the location is received. config sample: SSLVerifyClient optional Alias /auth /htdocs/access SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate SSLVerifyDepth 5 Options None " -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org