Return-Path: 
 <users-return-110132-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id DD66B17739
	for <apmail-httpd-users-archive@www.apache.org>;
 Thu,  2 Oct 2014 08:47:20 +0000 (UTC)
Received: (qmail 44103 invoked by uid 500); 2 Oct 2014 08:47:17 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 44068 invoked by uid 500); 2 Oct 2014 08:47:17 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 44058 invoked by uid 99); 2 Oct 2014 08:47:17 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 08:47:17 +0000
X-ASF-Spam-Status: No, hits=-2.8 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [212.243.6.182] (HELO mail.mysigninternational.com)
 (212.243.6.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 08:47:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by mail.mysigninternational.com (Postfix) with ESMTP id 29332C2171
	for <users@httpd.apache.org>; Thu,  2 Oct 2014 10:46:52 +0200 (CEST)
Received: from mail.mysigninternational.com ([127.0.0.1])
	by localhost (mysign-postfix1.INTERNET [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 07X0NwDycvSq for <users@httpd.apache.org>;
	Thu,  2 Oct 2014 10:46:46 +0200 (CEST)
Received: from exchangeintern.mysign.ch (unknown [192.168.13.145])
	by mail.mysigninternational.com (Postfix) with ESMTP id E86A4C2128
	for <users@httpd.apache.org>; Thu,  2 Oct 2014 10:46:46 +0200 (CEST)
Received: from EXCHANGE2013.mysigndomain.corp (192.168.13.145) by
 Exchange2013.mysigndomain.corp (192.168.13.145) with Microsoft SMTP Server
 (TLS) id 15.0.516.32; Thu, 2 Oct 2014 10:46:46 +0200
Received: from EXCHANGE2013.mysigndomain.corp ([fe80::489f:f2a0:5e0e:15cc]) by
 Exchange2013.mysigndomain.corp ([fe80::489f:f2a0:5e0e:15cc%12]) with mapi id
 15.00.0516.029; Thu, 2 Oct 2014 10:46:46 +0200
From: Clemens Wyss DEV <clemensdev@mysign.ch>
To: "users@httpd.apache.org" <users@httpd.apache.org>
Thread-Topic: "conditional" client certificate verification
Thread-Index: Ac/eHVVAxBnycX8hTNmh82S8Io7TCg==
Date: Thu, 2 Oct 2014 08:46:45 +0000
Message-ID: <86d0422a90a64f2d9569dc73d0420105@Exchange2013.mysigndomain.corp>
Accept-Language: de-CH, en-US
Content-Language: de-DE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.13.66]
Content-Type: multipart/alternative;
	boundary="_000_86d0422a90a64f2d9569dc73d0420105Exchange2013mysigndomai_"
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] "conditional" client certificate verification

--_000_86d0422a90a64f2d9569dc73d0420105Exchange2013mysigndomai_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

We are about to introduce client certificates for (optional) authentication=
.

...

SSLOptions +StdEnvVars +ExportCertData

SSLCACertificateFile conf/ssl.crt/ca.crt SSLVerifyClient optional SSLVerify=
Depth 4 ...



Unfortunately Safari@mac has "problems" (apparently a bug) connecting to Ap=
ache http://serverfault.com/questions/259610/could-not-establish-a-secure-c=
onnection-to-server-with-safari



Is there an alternative to the SSLInsecureRenegotiation flag?



What I'd like to do is something like

<If "%{HTTP_USER_AGENT} !~ /Safari/">

  SSLCACertificateFile conf/ssl.crt/ca.crt

  SSLVerifyClient optional

  SSLVerifyDepth 10

</If>



How "insecure" is the SSLInsecureRenegotiation flag?



Any help/advice appreciated

- Clemens


--_000_86d0422a90a64f2d9569dc73d0420105Exchange2013mysigndomai_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{mso-style-priority:99;
	mso-style-link:"Nur Text Zchn";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
span.E-MailFormatvorlage17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.NurTextZchn
	{mso-style-name:"Nur Text Zchn";
	mso-style-priority:99;
	mso-style-link:"Nur Text";
	font-family:"Calibri","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"DE-CH" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoPlainText">We are about to introduce client certificates for=
 (optional) authentication.
<o:p></o:p></p>
<p class=3D"MsoPlainText">...<o:p></o:p></p>
<p class=3D"MsoPlainText">SSLOptions &#43;StdEnvVars &#43;ExportCertData<o:=
p></o:p></p>
<p class=3D"MsoPlainText">SSLCACertificateFile conf/ssl.crt/ca.crt SSLVerif=
yClient optional SSLVerifyDepth 4 ...<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">Unfortunately Safari@mac has &quot;problems&quot;=
 (apparently a bug) connecting to Apache
<a href=3D"http://serverfault.com/questions/259610/could-not-establish-a-se=
cure-connection-to-server-with-safari">
http://serverfault.com/questions/259610/could-not-establish-a-secure-connec=
tion-to-server-with-safari</a>
<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">Is there an alternative to the SSLInsecureRenegot=
iation flag?<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">What I'd like to do is something like<o:p></o:p><=
/p>
<p class=3D"MsoPlainText">&lt;If &quot;%{HTTP_USER_AGENT} !~ /Safari/&quot;=
&gt;<o:p></o:p></p>
<p class=3D"MsoPlainText">&nbsp; SSLCACertificateFile conf/ssl.crt/ca.crt<o=
:p></o:p></p>
<p class=3D"MsoPlainText">&nbsp; SSLVerifyClient optional<o:p></o:p></p>
<p class=3D"MsoPlainText">&nbsp; SSLVerifyDepth 10<o:p></o:p></p>
<p class=3D"MsoPlainText">&lt;/If&gt;<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">How &quot;insecure&quot; is the SSLInsecureRenego=
tiation flag?<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">Any help/advice appreciated<o:p></o:p></p>
<p class=3D"MsoPlainText">- Clemens<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_86d0422a90a64f2d9569dc73d0420105Exchange2013mysigndomai_--