httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] mod_ssl, client certificates and r->username
Date Fri, 21 Jan 2011 11:11:11 GMT
On Fri, Jan 21, 2011 at 11:07 AM, Martin Kuba <makub@ics.muni.cz> wrote:
> Hi Tom,
>
> the normal access log does not contain SSL information. If you want it,
> create a special log using the directive CustomLog, i.e.
>
>
> CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log"
> "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\"
> SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"
> SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\"
> SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""

Ah, see that's the thing - they can also authenticate in other ways, I
was slightly simplifying the situation. I was hoping that I could get
the same user information into the access logs regardless of how they
authenticate.

>
> See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats  for
> details.
>
> By the way, I suggest you to replace the "SSLVerifyClient require" with
>
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> ErrorDocument 403 /certneedederror.html
>
> The big advantage is that when something goes wrong, the user will get
> a web page with a nice error message you have written, instead of some weird
> browser popup dialog window with an internal SSL error code.

Yes, that is much better! Thanks :)

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message