httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] mod-ssl with or without client certificate
Date Fri, 23 Dec 2005 09:51:54 GMT
> -----Original Message-----
> From: Ezio Paglia [mailto:ezio@comune.grosseto.it]
> Sent: Donnerstag, 22. Dezember 2005 18:03
> To: users@httpd.apache.org
> Subject: [users@httpd] mod-ssl with or without client certificate
> 
> 
> Server version: Apache/2.0.54
> 
> Hi all.
> 
> In our virtual hosts we have got a squirrelmail conf through 
> https (without 
> client side certificate). It works.
> 
> NameVirtualHost *:443
> 
> <VirtualHost *:443>
>          ServerAdmin ezio@comune.grosseto.it
>          ServerName webmail.comune.grosseto.it
>          SSLEngine on
>          DocumentRoot /usr/share/squirrelmail
> <Directory /usr/share/squirrelmail>
>          php_flag register_globals off
>          Options Indexes FollowSymLinks
> <IfModule mod_dir.c>
>          DirectoryIndex index.php
> </IfModule>
> <Files configtest.php>
>          order deny,allow
>          deny from all
>          allow from 127.0.0.1
> </Files>
> </Directory>
> </VirtualHost>
> 
> I'd like to add another Virtual Host in order to manage client side 
> certificates.

And here the problems start.... You are trying to use name-based virtual-hosting under SSL.
This cannot be done (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2 for details
and http://marc.theaimsgroup.com/?l=apache-httpd-users&w=2&r=1&s=ssl+name+based&q=b
for archived threads on this very topic, which comes up more frequently than I've had hot
dinners).

Because your two sites are closely linked, you might try using the same cert in both VHs.
When a user first requests either site, HTTPS will start up using the cert of the first VH
(so this will cause a warning if the request is for the second site) but once the HTTPS session
is established, name-based VHing will "work" again since apache can now decrypt the requests
and see the Host header. So users will get the correct site.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> <VirtualHost *:443>
>          ServerAdmin ezio@comune.grosseto.it
>          ServerName ciecns.comune.grosseto.it
>          LogLevel debug
>          SSLEngine on
>          SSLVerifyClient require
>          SSLVerifyDepth 3
>          SSLCACertificateFile /etc/apache2/ssl/caCerts.pem
>          DocumentRoot /var/www/
> </VirtualHost>
> 
> Now, if I put this section before the squirrelmail, it asks 
> me for the 
> certificate even though I point to the squirrelmail, while if 
> the latter is 
> the second section, I can access everything without any 
> certificate. It 
> sounds like if does not discriminate between client cert and 
> no client 
> certificate, it only understand the method invoked in the 
> first virtual host.
> Do you have any ideas ?
> 
> Ciao and thank you.
> Merry Chistmas.
> Yours Ezio.
> 
> Ezio Paglia
> Sistemi e Database
> Servizi Informatici (SED)
> Comune di Grosseto
> Ufficio : +39-0564-488706 Fax : +39-0564-21139 Cellulare : 
> +39-320-7984950
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message