On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote:
> >SSLVerifyClient is documented as working in directory context, so it
> should also work in <Location> context. The manual page for mod_ssl does
> >explicitly say that a SSL renegotiation is triggered if a request for the
> location is received.
>
>
> Then this is a bug, because it doesn't work for <Location>
>
> Simple test scenario is :
> 1. access document root location - "SSLVerifyClient optional" , cance
> certificate choice window.
> 2. access location <Location "/auth"> with "SSLVerifyClient require" - no
> triggered SSL negotiation - access without certificate granted.
That should not happen, it would be a serious security issue if it did.
I'd suspect you're seeing a cached session being reused if you're seeing
access granted to a location with "SSLVerifyClient require".
Please can you confirm this: add %{SSL_CLIENT_S_DN}x to some CustomLog
line so that you can log whether the client cert is actually being
picked up or not for access to the protected location.
If this isn't working properly it's something we need to get fixed, but
I can't reproduce any problems here.
Regards,
joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|