httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: [users@httpd] Strange log in ssl server?
Date Fri, 15 Mar 2013 13:47:27 GMT
On 3/13/2013 1:50 AM, Felix Rubio Dalmau wrote:
> Hi,
> I've secured my apache by using SSL certificates (self-signed CA) for both server 
> and clients, and I require them to the clients in order to connect. However, I 
> have found these entries in ssl_access.log:
> - - [03/Mar/2013:16:15:56 +0100] "GET /" 400 458 "-" "-"
> - - [07/Mar/2013:15:25:54 +0100] "GET /" 400 458 "-" "-"
> If those clients do not have the certificates (I'm sure of that), and the 
> negotiation is supposed to be encrypted because of the SSL, how is possible that 
> they have reached the point to do a "GET /"? Am I missing something? I thought 
> that SSL negotiation was performed before the requesting of any page :-s
> Regards
> Felix

Hello, Felix;
   What you have probably configured is server-side SSL only (can
confirm if you post some config snippets). This would mean there are no
requirements at the transport layer for the client to have a
certificate. If you want to require the client to have a certificate,
you can use these directives:

SSLVerifyClient require
SSLCACertificateFile /path/to/your/CA/cert.pem

The word of caution here is that all users will have to present a client
certificate - which would mean they have to have them available to their
browsers or they will never be able to make a request.

Daniel Ruggeri

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message