httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: bug with SSLVerifyClient?
Date Wed, 23 Nov 2016 19:30:48 GMT


On 11/23/2016 07:55 PM, Helmut K. C. Tessarek wrote:
> On 2016-11-23 13:43, Eric Covener wrote:
>> In your desired config, the initial handshake happens with
>> SSLVerifyClient=none, so no client certificate is requested so none
>> can be sent by the client.
>> The initial handshake completes, then a HTTP request is received that
>> maps to /dir
>> Now Apache has to honor your <Directory> section, and a change to
>> SSLVerifyClient from none to optional requires a new handshake to
>> request a client certificate.
> 
> I see, thank you for the explanation. It still does not explain why it
> doesn't work though. It should, right? At least according to the
> documentation.
> 
> But you also mentioned that this scenario won't work with TLS 1.3. Does
> this mean you can only have either an auth schema (user/password auth)
> or a client cert with TLS 1.3, but not both at the same time? Since when

You can still have that if you configure SSLVerify on virtual server layer, but not
on directory level.

> is functionality removed in new protocols?

As far as I understand renegotiation has (and definitely had in the past) serious security
issues. Hence it is removed.

Regards

RĂ¼diger

Mime
View raw message