Unexpected request for client certificate on whole site with location/directory-based SSLVerifyClient

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear List,

I'm trying to implement SSL-client certificate check for only some selected URLs, but some things do not work as expected:

* Although "SSLVerifyClient none" for whole vhost and only " SSLVerifyClient require" for location "/test", Firefox on Linux will ask for the certificate on all URLs. If I understand correctly, expected behavior would be to trigger renegotiation only when location matches.

* When dismissing the request in Firefox in Linux, the unprotected URLs are served while protected ones result in (Error code: ssl_error_handshake_failure_alert) although I would be nicer to to get a "Forbidden" served. But I could live with that also.

* When supplying the certificate via Firefox , content is served as expected.

* IE9 and Firefox on Windows always refuse to serve any page (SSL error) for both "/" and "/test" never asking to supply a client certificate.

When connecting using OPENSSL or socat, results are different:

* Content of / is served as expected
* Access to "/test" without certificate returns "Forbidden"
* Access to "/test" with certificate FAILS to return the protected content, although renegotiation is present:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported

Does someone known the magic combination of server-side SSL options to get this working with as many browsers and OSes as possible?

I've searched for similar problems but failed to find real close hits. Many other users got location-based request for client-certificate working but had problems with something different afterwards.

Roman



PS: Config snipplet:

  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /etc/apache2/ssl/TestingCA.cert

  <Location /test/>
# Changing this from none to require will make Firefox ask for client certificate on any URL, not only /test/.*
    SSLVerifyClient require
# Does not work with/without it anyway
    SSLOptions +OptRenegotiate
  </Location>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux