On Tue, Aug 30, 2005 at 03:52:11PM +0100, Joe Orton wrote: > On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote: > > >SSLVerifyClient is documented as working in directory context, so it > > should also work in <Location> context. The manual page for mod_ssl does > > >explicitly say that a SSL renegotiation is triggered if a request for the > > location is received. > > > > > > Then this is a bug, because it doesn't work for <Location> > > > > Simple test scenario is : > > 1. access document root location - "SSLVerifyClient optional" , cance > > certificate choice window. > > 2. access location <Location "/auth"> with "SSLVerifyClient require" - no > > triggered SSL negotiation - access without certificate granted. > > That should not happen, it would be a serious security issue if it did. Oh, nasty :( It does and it is, I can confirm this here now. It looks like this bug dates back to RSE's mod_ssl-for-1.3 too. joe --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|