httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fiedler Roman <Roman.Fied...@ait.ac.at>
Subject [users@httpd] Unexpected request for client certificate on whole site with location/directory-based SSLVerifyClient
Date Wed, 09 Oct 2013 12:10:25 GMT
Dear List,

I'm trying to implement SSL-client certificate check for only some selected URLs, but some
things do not work as expected:

* Although "SSLVerifyClient none" for whole vhost and only " SSLVerifyClient require" for
location "/test", Firefox on Linux will ask for the certificate on all URLs. If I understand
correctly, expected behavior would be to trigger renegotiation only when location matches.

* When dismissing the request in Firefox in Linux, the unprotected URLs are served while protected
ones result in (Error code: ssl_error_handshake_failure_alert) although I would be nicer to
to get a "Forbidden" served. But I could live with that also.

* When supplying the certificate via Firefox , content is served as expected.

* IE9 and Firefox on Windows always refuse to serve any page (SSL error) for both "/" and
"/test" never asking to supply a client certificate.

When connecting using OPENSSL or socat, results are different:

* Content of / is served as expected
* Access to "/test" without certificate returns "Forbidden"
* Access to "/test" with certificate FAILS to return the protected content, although renegotiation
is present:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported

Does someone known the magic combination of server-side SSL options to get this working with
as many browsers and OSes as possible?

I've searched for similar problems but failed to find real close hits. Many other users got
location-based request for client-certificate working but had problems with something different
afterwards.

Roman



PS: Config snipplet:

  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /etc/apache2/ssl/TestingCA.cert

  <Location /test/>
# Changing this from none to require will make Firefox ask for client certificate on any URL,
not only /test/.*
    SSLVerifyClient require
# Does not work with/without it anyway
    SSLOptions +OptRenegotiate
  </Location>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message