httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: bug with SSLVerifyClient?
Date Wed, 23 Nov 2016 17:36:38 GMT
On Mon, Nov 21, 2016 at 12:40 PM, Helmut K. C. Tessarek
<tessarek@evermeet.cx> wrote:
> But I noticed that it is completely ignored (it always asks for a
> user/password, no matter, if I have the client cert installed or not).

I only have experience w/ a proprietary SSL mod, but:

* I didn't think SSLVerifyClient's data was ever implicitly used in
lieu of basic auth, this gave me pause in the quoted sentence
* The thing to look for here would be whether your request triggers an
SSL renegotiation or not, and if in that 2nd handhsake there is a
certificate request from the server.
* These configs won't work when TLS1.3 arrives because there is no
renegotiation.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message