httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: [users@httpd] mod_ssl and client cert
Date Thu, 07 Jun 2007 03:06:22 GMT
For limiting the CA's you accept, look into the directive SSLCADNRequestFile.


-----Original Message-----
From: []
Sent: Thursday, May 31, 2007 9:23 AM
Subject: [users@httpd] mod_ssl and client cert

Hello everyone. 
I've an apache 2.2.4 up and running! 
I've this configuration in my ssl.conf file: 

ErrorLog /opt/CHROOT/HTTPD-2.2.4/logs/error_log
TransferLog /opt/CHROOT/HTTPD-2.2.4/logs/access_log
SSLEngine on
SSLCertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.cert.temp
SSLCertificateKeyFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.key.temp
SSLCACertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/ProgettieServizi.cer
 <Location />
 SSLVerifyClient require
 SSLVerifyDepth  10
 SSLRequire %{SSL_CLIENT_I_DN_CN} eq "manuciao" 

As you can see I want client authentication but with this configuration the server doesn't
ask certificate for the browser. 
If I move  SSLVerifyClient and SSLVerifyDepth out of the location directive the server ask
client cert but then it seems that the filter doesn't work. 
And the server ask me a cert I select it from my browser list and it is not signed from a
CA with a common name "manuciao" but the server doesn't stop me from serving a page. 

How Can I see   SSL_CLIENT_I_DN_CN value? 
I've turn the debug on but I can't see anything for this variable. 

If I want a configuration where the server asks for client certificates for specific url and
accepts only the one with a specific CA or a specific common name what have I to do???? 

What is the configuration in my ssl.conf file? 

Pleas let me know! 
Thanks in advance 

Manuela Vorazzo   

"Dale Ogilvie" <> 

31/05/2007 04.15
Please respond to

[users@httpd] mod_proxy_balance never recovers from a worker error         with stickysession



I am running Apache 2.2.3 on RedHat EL 5. I am trying to use Apache to load balance between
two local instances of tomcat in order to utilize the vast quantities of RAM on our production

My httpd setup looks like this:

<Proxy balancer://tomcat>
   BalancerMember ajp://localhost:8009 min=10 max=100 route=tomcat1
loadfactor=1 retry=120
   BalancerMember ajp://localhost:8010 min=10 max=100 route=tomcat2
loadfactor=1 retry=120

<Location /balancer-manager>
   SetHandler balancer-manager
   Order deny,allow
   Deny from all
   Allow from

ProxyPass /dscgi/ balancer://tomcat/docushare/dsweb/
stickysession=JSESSIONID nofailover=On
ProxyPass /docushare balancer://tomcat/docushare stickysession=JSESSIONID nofailover=On ProxyPass
/docushare/ balancer://tomcat/docushare/ stickysession=JSESSIONID nofailover=On

The problem is that if one of the workers gets into error status, any client with a JSESSIONID
referencing that route is never able to receive a reply, Apache *always* responds with a 503
- Temporarily unavailable,
*until* another request is successful. I expected with "retry=120" that after 120 seconds
the client would be able to use the errored out worker, but this is *not* the case.

Test case:

1. Start tomcats
2. Access /docushare, this succeeds and returns a JSESSIONID cookie referencing the member
3. Stop tomcats to simulate a backend failure 4. Access /docushare again in the same browser
session, this fails with a 503 error (as expected). Balance-manager shows tomcat1 is OK, and
tomcat2 is Err
Error_log shows: All workers are in error state for route (tomcat2) 5. Start tomcats again
6. Wait for 120+ seconds to allow retry=120 to take effect 7. Access /docushare *using the
session with the tomcat2 cookie*, expect success, get 503 error. I can repeat this step ad
nauseam without ever getting a successful response.
Error_log shows: All workers are in error state for route (tomcat2) 8. To resolve the issue,
delete the JSESSIONID cookie from the client or open up a new browser and access /docushare.
Either of these seem to solve the problem for the "cookied" browser session.
9. Access /docushare, this succeeds, balance-manager shows both tomcat1 and tomcat2 are now
OK even though the cookie returned to this request is for *tomcat1*.

So I would expect that the balance would retry the errored path successfully "retry" seconds
after the failure. Is this a bug or do I have some misunderstanding and/or misconfiguration?


Dale Ogilvie
Senior Software Engineer
Trimble Navigation NZ Ltd
P O Box 8729
Ph:       +64 3 9635344
Fax:     +64 3 9635317

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
  "   from the digest:
For additional commands, e-mail:

*******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo
non autorizzato del presente messaggio nonché dei suoi allegati è vietato e potrebbe costituire
reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via
e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio
stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche'
nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente
considerate come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano SIA-SSB
S.p.A. nei confronti del destinatario o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita'
per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. 
Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute
an offence. If you are not the intended addressee please advise immediately the sender by
using the reply facility in your e-mail software and destroy the message and its attachments.
The statements and opinions expressed in this e-mail message are those of the author of the
message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The contents of
this message shall be understood as neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB
S.p.A. does not accept liability for corruption, interception or amendment, if any, or the
consequences thereof.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message