On Tue, Aug 30, 2005 at 10:23:16AM +0200, Yefym Dmukh wrote: > >SSLVerifyClient is documented as working in directory context, so it > should also work in <Location> context. The manual page for mod_ssl does > >explicitly say that a SSL renegotiation is triggered if a request for the > location is received. > > > Then this is a bug, because it doesn't work for <Location> > > Simple test scenario is : > 1. access document root location - "SSLVerifyClient optional" , cance > certificate choice window. > 2. access location <Location "/auth"> with "SSLVerifyClient require" - no > triggered SSL negotiation - access without certificate granted. The patch for this which has been proposed for the next 2.0.x release is: http://people.apache.org/~jorton/CAN-2005-2700.diff Thanks a lot for reporting this. (The issue appears to also affect Ralf Engelschall's mod_ssl for 1.3) Regards, joe --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx