httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank <fr...@x09.de>
Subject Error in SSLRequire-handling in conjunction with Satisfy Any
Date Sat, 12 Mar 2011 15:46:07 GMT
Hi,
there is an error regarding the usage of 'SSLRequire' with 'Satisfy Any'.

In a setup like this:

<VirtualHost ....:443>
SSLVerifyClient optional
SSLVerifyDepth 10
DocumentRoot /home/htdocs
<Directory "/home/htdocs/">
   Satisfy Any
   SSLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/O=myOrg/OU=myOU/CN=myPKI"
   Order deny,allow
   Deny  from all
   Allow from 10.1.1
</Directory>
</VirtualHost>

I was hoping that all users using a certificate matching the specified 
SSL_CLIENT_I_DN were able to get access to the server from any IP and 
every user not having a certificate has to come from the local network 
10.1.1.*!
But it seems to me that the positive check of SSLRequire is just ignored!
(I also tried using 'SSLOptions -StrictRequire' and to use different 
orders but both shots doesn't help.)

In ssl_engine_kernel.c I see at the end of function ssl_hook_Access:

     /*
      * Else access is granted from our point of view (except vendor
      * handlers override). But we have to return DECLINED here instead
      * of OK, because mod_auth and other modules still might want to
      * deny access.
      */

     return DECLINED;


Maybe it must be something like "if (ap_satisfies(r) == SATISFY_ANY) 
return OK; else return DECLINED;"? (No I didn't tried this!)

Best regards!
Frank



Mime
View raw message