httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Secure server ?
Date Mon, 09 Feb 2004 09:37:14 GMT
> -----Original Message-----
> From: Michael Gale [mailto:michael@bluesuperman.com]
> Sent: Montag, 9. Februar 2004 05:21
> To: users@httpd.apache.org
> Subject: [users@httpd] Secure server ?
> 
> 
> Hello,
> 
> 	I am building a apache web server with PHP and mysql. I 
> want this
> secure to be as secure as possible.
> 
> I have set up ssl on the web server, I have created my own 
> CA, signed my
> server cert and am specifying on a directory bases that client access
> requires a valid cert signed by the same CA as the web server.
> 
> I believe this should be very secure :)
> 
> But I have a few questions ?
> 
> How can I make it so all directories, including 
> sub-directories requires
> client certs ? It seems that only the directory I explicitly set
> require it.
> 
> So:
> <Directory /htdocs/test>
> SSLVerifyClient 2
> </Directory>

Who says you can use "2" as an argument to SSLVerifyClient? According to
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17 it takes:

- none: no client Certificate is required at all 
- optional: the client may present a valid Certificate 
- require: the client has to present a valid Certificate 
- optional_no_ca: the client may present a valid Certificate
but it need not to be (successfully) verifiable. 

In any case, the usual rule is that directives which apply to one
directory are inherited by its subdirectories. I'd be surprised if this
were different.

> requires the client to have a cert but:
> /htdocs/test/subdirectory does not :(

How did you test this? You aren't expecting the browser to pop-up
certificate dialogue windows every time you go down a dir, are you? To
prove this is happening as you describe you'd have to access
/htdocs/test from a client WITHOUT a cert, demonstrate that you are
denied access, then change the request to /htdocs/test/subdirectory and
demonstrate that you obtain access. Can you do this?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> Also is there a way to limit a directory access by client cert ? 
> 
> Thanks.
> 
> -- 
> Hand over the Slackware CD's and back AWAY from the computer, 
> your geek
> rights have been revoked !!!
> 
> Michael Gale
> Slackware user :)
> Bluesuperman.com 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message