httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cerion Armour-Brown <cer...@terpsichore.ws>
Subject Re: [users@httpd] localhost https access with client certs required
Date Mon, 23 Feb 2004 10:23:38 GMT

Ahem, that is, apart from the typo on the subdir!
Cerion

On Monday 23 February 2004 11:20, Cerion Armour-Brown wrote:
> Can someone please verify what I've done here - I'm pretty new to this!
>
> In case anyone else has a similar question, I found that if I specify
> "SSLVerifyClient require" in the base of the VH, it overrides any further
> <Directory> changes... so the answer was to put the base
> "SSLVerifyClient require" also in a <Directory>, like so:
>
>    <Directory "/base_dir">
>       SSLVerifyClient require
>       SSLVerifyDepth  1
>       # Deny all non-SSL requests - guard against bad config:
>       SSLRequireSSL
>       # Don't allow anything to override the SSL requirements:
>       SSLOptions +StrictRequire
>    </Directory>
>
>    # Allow access to this dir:
>    <Directory "/opt/rt3/share/html/REST/1.0">
>       Order Deny,Allow
>       Deny from all
>       # Allow access from local_hostname - 'localhost' won't work!
>       Allow from my_hostname
>       SSLVerifyClient none
>    </Directory>
>
> I understand now that this works because on a <Directory> basis, an SSL
> re-negotiation is done AFTER the header info is received... if done at the
> VH level, the SSL handshake happens BEFORE header info ios received, so
> can't get hostname before too late.
>
> Does anyone know if there is (or is not!) anything bad, security-wise,
> about what I've done here?
>
> Cheers,
> Cerion
>
> On Friday 20 February 2004 15:02, Cerion Armour-Brown wrote:
> > Hi,
> > I have apache set up to with ssl to require client certs - this all works
> > beautifully.  It also rejects connections to port 80 as it should.
> > However, I need to allow localhost access through https, without a client
> > cert.
> > Have read as much docs as make sense to me, and searched users lists but
> > to no avail.
> > I've tried various configurations, but whatever I do, I just get SSL
> > handshake failed messages in apache/error_log.
> >
> > Any help would be much appreciated!
> > Cerion
> >
> >
> > apache/error_log:
> > [error] mod_ssl: SSL handshake failed (server request_tracker.local:443,
> > client 127.0.0.1) (OpenSSL library error follows)
> > [error] OpenSSL: error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> > [Hint: No CAs known to server for verification?] [error] mod_ssl: SSL
> > handshake failed (server request_tracker.local:443, client 127.0.0.1)
> > (OpenSSL library error follows)
> > [error] OpenSSL: error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer
> > error no certificate
> >
> > Here's my latest httpd.conf attempt (I'll post the whole thing if it'll
> > help): ...
> > Port 80
> > ...
> > <IfDefine SSL>
> > #Listen 80
> > Listen 443
> > </IfDefine>
> > ...
> > <VirtualHost _default_:443>
> > ...
> >    <Location "/">
> >       Satisfy Any
> >       Options FollowSymLinks Indexes ExecCGI
> >       AllowOverride None
> >       Order deny,allow
> >       Allow from localhost
> >    </Location>
> > ...
> > SSLEngine on
> > SSLVerifyClient require
> > SSLVerifyDepth  1
> > etc...
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message