On Apr 22, 2008, at 5:53 PM, Joe Orton wrote:
> On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
>> While I was testing revocation checking for client certs in an SNI
>> configuration (Dirk, many thanks for make_sni.sh, btw!), I came
>> across a
>> flaw in the current implementation when CRL information - i.e.
>> SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis
>> (don't know how much sense it makes to have non-global CRLs, but
>> anyway...).
>
> Someone bugged me about the SNI support so I finally go round to
> chasing
> this up.
>
> I hacked up a quick test based on Dirk's make_sni.sh; this adds
> "SSLVerifyClient" & SSLCACertificateFile to the second and third named
> vhosts.
>
> And this confirms my original suspicions: I can access those vhosts
> without having to present a certificate, i.e. the configured access
> control restrictions can be bypassed. If I move the SSLVerifyClient/
> etc
> to the first vhost, it works as expected.
Is this fixed by Kasper Brand his patch ? (See his msg from 13/2) ?
Dw.
|