httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [users@httpd] Bug or Feature : global SSLVerifyClient in <VirtualHost> overrides the same in <Location>?
Date Tue, 30 Aug 2005 15:23:01 GMT
On Tue, Aug 30, 2005 at 03:52:11PM +0100, Joe Orton wrote:
> On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote:
> > >SSLVerifyClient is documented as working in directory context, so it 
> > should also work in <Location> context. The manual page for mod_ssl does 
> > >explicitly say that a SSL renegotiation is triggered if a request for the 
> > location is received.
> >  
> > 
> > Then this is a bug, because it doesn't work for <Location> 
> > 
> > Simple test scenario is :
> > 1. access document root location - "SSLVerifyClient optional" ,  cance 
> > certificate choice window.
> > 2. access location <Location "/auth"> with  "SSLVerifyClient require" - no

> > triggered SSL negotiation - access without certificate granted.
> 
> That should not happen, it would be a serious security issue if it did.  

Oh, nasty :( It does and it is, I can confirm this here now.

It looks like this bug dates back to RSE's mod_ssl-for-1.3 too.

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message