httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Re: Client certificate authentication issues
Date Mon, 15 Oct 2012 12:14:48 GMT
On October 15, 2012 6:11 , VP <rpeyyeti@gmail.com> wrote:
> I am still continuing my search to find other solutions to fix my
> issue. I have a question. Lets say even if my SSLVerifyClient in is
> Location block called "secure". Would the SSL Renegotiation still
> trigger if the user types in direct URL the very first time? Like
> calling:
>
> https://www.something.com/secure
>
> Instead of:
> https://www.something.com and then clicking on hyperlink on the
> homepage which will take the user to https://www.something.com/secure


I am not an expert, but according to what I understand:  yes, in the 
scenario you describe, renegotiation would still be triggered.  The 
reason is that when the client establishes the initial SSL connection, 
it has not yet sent the HTTP request.  The server does not know what URI 
path the client will be accessing, it only knows that there are some URI 
paths for which certificates are required and some for which 
certificates are not required, so it negotiates the connection without 
client side certificates.  (Keep in mind that "SSLVerifyClient" does not 
work reliably with all clients -- so I'm assuming you have 
"SSLVerifyClient require" set for the /secure Location).  After the SSL 
session is established, the client sends the HTTP GET request for 
/secure.  The server sees that a client certificate is required, that no 
client certificate was previously provided (because the SSL session was 
established with "SSLVerifyClient none"), and the server triggers 
renegotiation.

The only sure way around this problem that I know about is to specify 
"SSLVerifyClient require" in the virtual host context or global server 
context so that it applies to al URI and filesystem paths.  The server 
will then require a client certificate in the initial SSL negotiation 
for all connections, and renegotiation should never be triggered.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message