httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] SSL Client Certificates and CGI
Date Mon, 01 Oct 2012 19:28:21 GMT
On October 1, 2012 14:58 , Tom Browder <> wrote:
> On Mon, Oct 1, 2012 at 10:53 AM, Mark Montague <> wrote:
>> On October 1, 2012 9:17 , Tom Browder <> wrote:
>>> Inside the restricted area I have:
>>>     SSLVerifyClient require
>>> I have found that the configuration doesn't restrict CGI  programs at
>>> all as I have them placed
> ...
>> Then something weird is going on.  "SSLVerifyClient require" should prevent
>> any client from accessing the CGI programs unless it has a valid
>> certificate.
> But, Mark, does that apply if the CGI programs themselves are NOT
> located in the restricted area?

No, but then you've solved the problem:

1. You have URI paths beneath which you require clients to present 
certificates in order to not get a HTTP 403 response.
2. You have CGIs, and you find that clients do not need to present 
certificates when they make requests for the CGI.
3. You say that the CGIs from 2 are not in the area in 1.
4. You observe that the CGIs from 2 are not protected by the 
requirements for 1.  This observation is what is expected, due to 3.

The solution -- as far as Apache HTTP Server is concerned -- is to move 
the CGIs into the area in 1, or, alternatively, configure area in 2 to 
also require clients to present SSL certificates.

If you prefer, you can make client certificates optional for the area in 
which you have the CGIs (while still requiring client certificates for 
area 1), but then you'll need to modify each one of your CGIs to check 
to see whether a client presented a certificate for a given request, 
and, based on that plus other details of the request, have each CGI make 
an authorization decision regarding whether to respond with the 
requested content or whether to respond with an HTTP 403 "Forbidden" error.

If this doesn't answer your question, then I'm not clear on what you are 
actually asking, and maybe someone else can respond better.  Or you 
could try asking your question in a different way.

   Mark Montague

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message