httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] Client Certificate Setup problem with same VirtualHost but different URI resource name
Date Tue, 21 Oct 2003 14:36:15 GMT
apachectl configtest or httpd -t

----- Original Message ----- 
From: "Ian Huynh" <ianh@hubspan.com>
To: <users@httpd.apache.org>
Sent: Tuesday, October 21, 2003 10:27 AM
Subject: RE: [users@httpd] Client Certificate Setup problem with same
VirtualHost but different URI resource name


Interesting. You are right. I am not sure if the docs is in error or it's
something in the code.
I am not getting any error when apache starts. Is there a configtest utility
in 2.x?



> -----Original Message-----
> From: Leif W [mailto:warp-9.9@usa.net]
> Sent: Tuesday, October 21, 2003 6:59 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Client Certificate Setup problem with same
> VirtualHost but different URI resource name
>
>
> Regarding this portion:
>
>    <Location /abc>
> SSLVerifyClient none
>    </Location>
>
>    <Location /def>
> SSLVerifyClient require
>    </Location>
>
> The docs state the context to be Directory, not Location.
> I'm surprised a
> configtest didn't complain?  Or are the docs in error?  Beyond this, I
> really don't know.  ;-)
>
> Leif
>
> ----- Original Message ----- 
> From: "Ian Huynh" <ianh@hubspan.com>
> To: <users@httpd.apache.org>
> Sent: Tuesday, October 21, 2003 9:48 AM
> Subject: RE: [users@httpd] Client Certificate Setup problem with same
> VirtualHost but different URI resource name
>
>
> I've tried various config. some seem to work but always with a little
> caveat.
>
> - Things always seem to work on a GET
>
> - Sometimes you get a 503 on a POST, if the SSLVerifyClient
> switches from a
> no-cert/optional cert to require cert (the
>   error in the log has to do with mod_ssl complaining about trying to
> renegotiate client auth on a POST)
>
> - Most browsers will behave funny (getting a popup dialog
> even though there
> are no certs present on the client
>   ) when using SSLVerifyClient optional.  IE has option to
> turn it off but
> that's not the default IE behavior.
>
>
> sample config:
>
> <VirtualHost _default_:443>
>    SSLVerifyClient optional
>    SSLVerifyDepth  3
>
> {.. other config info deleted for clarity
> ..}
>
>    <Location /abc>
> SSLVerifyClient none
>    </Location>
>
>    <Location /def>
> SSLVerifyClient require
>    </Location>
>
>
> </VirtualHost>
>
> > -----Original Message-----
> > From: Leif W [mailto:warp-9.9@usa.net]
> > Sent: Tuesday, October 21, 2003 6:22 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Client Certificate Setup problem
> with same
> > VirtualHost but different URI resource name
> >
> >
> > Hi,
> >
> > First I don't really know the answer but since there was no
> > reply I figured
> > I'd give it a shot.  I just spent a few seconds skimming
> > http://httpd.apache.org/docs-2.0/ and found two directives
> > which may apply.
> > What I did was go right to the mod_ssl stuff, and look only
> > for directives
> > which had a directory context.
> >
> > SSLVerifyClient (
> > http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslverifyclient )
> > SSLVerifyDepth (
> > http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslverifydepth )
> >
> > Hope that helps,
> >
> > Leif
> >
> > ----- Original Message ----- 
> > From: "Ian Huynh" <ianh@hubspan.com>
> > To: <users@httpd.apache.org>
> > Sent: Friday, October 17, 2003 12:42 PM
> > Subject: [users@httpd] Client Certificate Setup problem with same
> > VirtualHost but different URI resource name
> >
> >
> > Apache 2.0.47 on win2k
> >
> > How do i setup this scenario
> >
> > Background: Apache WEB Server with 1 NIC card & 1 IP address
> > bound to it.
> > I have 2 URLs (see below) and one requires a client cert the
> > other does not.
> > Both URLs are in the same Virtual Host called 'myserver.com' but has
> > different
> > URI resource name.  'abc' does not require client cert but
> 'def' does.
> >
> >
> > 1.   https://myserver.com/abc/   - this does not require cert
> >
> > 2.   https://myserver.com/def/   - this MUST have client cert
> >
> >
> >
> > Thanks
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message