httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Gale <mich...@bluesuperman.com>
Subject Re: [users@httpd] Secure server ?
Date Tue, 10 Feb 2004 05:41:00 GMT
Hello,

	I was testing with a client with out a cert but it was user error :(
... I forgot that in my browser /test/subdirectory was really a
completely different directory on the machine.

and the SSLVerifyClient ... I got the require mixed up with the depth. 

Michael.



On Mon, 9 Feb 2004 10:37:14 +0100
"Boyle Owen" <Owen.Boyle@swx.com> wrote:

> > -----Original Message-----
> > From: Michael Gale [mailto:michael@bluesuperman.com]
> > Sent: Montag, 9. Februar 2004 05:21
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Secure server ?
> > 
> > 
> > Hello,
> > 
> > 	I am building a apache web server with PHP and mysql. I 
> > want this
> > secure to be as secure as possible.
> > 
> > I have set up ssl on the web server, I have created my own 
> > CA, signed my
> > server cert and am specifying on a directory bases that client
> > access requires a valid cert signed by the same CA as the web
> > server.
> > 
> > I believe this should be very secure :)
> > 
> > But I have a few questions ?
> > 
> > How can I make it so all directories, including 
> > sub-directories requires
> > client certs ? It seems that only the directory I explicitly set
> > require it.
> > 
> > So:
> > <Directory /htdocs/test>
> > SSLVerifyClient 2
> > </Directory>
> 
> Who says you can use "2" as an argument to SSLVerifyClient? According
> to http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17 it takes:
> 
> - none: no client Certificate is required at all 
> - optional: the client may present a valid Certificate 
> - require: the client has to present a valid Certificate 
> - optional_no_ca: the client may present a valid Certificate
> but it need not to be (successfully) verifiable. 
> 
> In any case, the usual rule is that directives which apply to one
> directory are inherited by its subdirectories. I'd be surprised if
> this were different.
> 
> > requires the client to have a cert but:
> > /htdocs/test/subdirectory does not :(
> 
> How did you test this? You aren't expecting the browser to pop-up
> certificate dialogue windows every time you go down a dir, are you? To
> prove this is happening as you describe you'd have to access
> /htdocs/test from a client WITHOUT a cert, demonstrate that you are
> denied access, then change the request to /htdocs/test/subdirectory
> and demonstrate that you obtain access. Can you do this?
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> > Also is there a way to limit a directory access by client cert ? 
> > 
> > Thanks.
> > 
> > -- 
> > Hand over the Slackware CD's and back AWAY from the computer, 
> > your geek
> > rights have been revoked !!!
> > 
> > Michael Gale
> > Slackware user :)
> > Bluesuperman.com 
> > 
> > -------------------------------------------------------------------
> > -- The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> > 
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
> e-mail is of a private and personal nature. It is not related to the
> exchange or business activities of the SWX Group. Le présent e-mail
> est un message privé et personnel, sans rapport avec l'activité
> boursière du Groupe SWX.
> 
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender
> urgently and then immediately delete the message and any copies of it
> from your system. Please also immediately destroy any hardcopies of
> the message. You must not, directly or indirectly, use, disclose,
> distribute, print, or copy any part of this message if you are not the
> intended recipient. The sender's company reserves the right to monitor
> all e-mail communications through their networks. Any views expressed
> in this message are those of the individual sender, except where the
> message states otherwise and the sender is authorised to state them to
> be the views of the sender's company. 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


-- 
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message