httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [users@httpd] Bug or Feature : global SSLVerifyClient in <VirtualHost> overrides the same in <Location>?
Date Tue, 30 Aug 2005 14:52:11 GMT
On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote:
> >SSLVerifyClient is documented as working in directory context, so it 
> should also work in <Location> context. The manual page for mod_ssl does 
> >explicitly say that a SSL renegotiation is triggered if a request for the 
> location is received.
>  
> 
> Then this is a bug, because it doesn't work for <Location> 
> 
> Simple test scenario is :
> 1. access document root location - "SSLVerifyClient optional" ,  cance 
> certificate choice window.
> 2. access location <Location "/auth"> with  "SSLVerifyClient require" - no 
> triggered SSL negotiation - access without certificate granted.

That should not happen, it would be a serious security issue if it did.  
I'd suspect you're seeing a cached session being reused if you're seeing 
access granted to a location with "SSLVerifyClient require".

Please can you confirm this: add %{SSL_CLIENT_S_DN}x to some CustomLog 
line so that you can log whether the client cert is actually being 
picked up or not for access to the protected location.

If this isn't working properly it's something we need to get fixed, but 
I can't reproduce any problems here.

Regards,

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message