Hi, in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. Meanwhile i tried to find the suitable RFC to get details about this problem - probably http://tools.ietf.org/html/rfc5246#page-55 might be the right one. Does anybody have the suitable background knowhow of the RFC and mod_ssl to help me to find out source of the problem? Regards Marc Am 25.06.2014 21:15, schrieb Jens-U. Mozdzen: > Hi Marc, > > Zitat von Marc Schöchlin <ms@xxxxxxxxxx>: >> Hello apache-users, >> >> i'm trying to implement client certificate authentication behind a f5 >> loadbalancer. >> >> My loadbalancer terminates ssl, and dispatches the decrypted >> communication via network address translation to the backend apache >> server. >> The client certificate auth should be performed at the webserver. >> >> Unfortunately the "SSLVerifyClient" directive is ignored and access is >> always granted. >> It seems that without enabled ssl transport encryption, the logic for >> "SSLVerifyClient" is deactivated. >> >> >> Any hints? > > yes, your web server is only seeing the plain HTTP traffic - all the > SSL "stuff" got stripped at the load balancer. > > You're so to speak asking to look at the post stamp of a letter, while > you only received the content because your mail service already > unpacked everything and dumped the envelope... > > Regards, > Jens > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|