RE: [users@httpd] mod-ssl with or without client certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Ezio Paglia [mailto:ezio@xxxxxxxxxxxxxxxxxx]
> Sent: Donnerstag, 22. Dezember 2005 18:03
> To: users@xxxxxxxxxxxxxxxx
> Subject: [users@httpd] mod-ssl with or without client certificate
> 
> 
> Server version: Apache/2.0.54
> 
> Hi all.
> 
> In our virtual hosts we have got a squirrelmail conf through 
> https (without 
> client side certificate). It works.
> 
> NameVirtualHost *:443
> 
> <VirtualHost *:443>
>          ServerAdmin ezio@xxxxxxxxxxxxxxxxxx
>          ServerName webmail.comune.grosseto.it
>          SSLEngine on
>          DocumentRoot /usr/share/squirrelmail
> <Directory /usr/share/squirrelmail>
>          php_flag register_globals off
>          Options Indexes FollowSymLinks
> <IfModule mod_dir.c>
>          DirectoryIndex index.php
> </IfModule>
> <Files configtest.php>
>          order deny,allow
>          deny from all
>          allow from 127.0.0.1
> </Files>
> </Directory>
> </VirtualHost>
> 
> I'd like to add another Virtual Host in order to manage client side 
> certificates.

And here the problems start.... You are trying to use name-based virtual-hosting under SSL. This cannot be done (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2 for details and http://marc.theaimsgroup.com/?l=apache-httpd-users&w=2&r=1&s=ssl+name+based&q=b for archived threads on this very topic, which comes up more frequently than I've had hot dinners).

Because your two sites are closely linked, you might try using the same cert in both VHs. When a user first requests either site, HTTPS will start up using the cert of the first VH (so this will cause a warning if the request is for the second site) but once the HTTPS session is established, name-based VHing will "work" again since apache can now decrypt the requests and see the Host header. So users will get the correct site.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> <VirtualHost *:443>
>          ServerAdmin ezio@xxxxxxxxxxxxxxxxxx
>          ServerName ciecns.comune.grosseto.it
>          LogLevel debug
>          SSLEngine on
>          SSLVerifyClient require
>          SSLVerifyDepth 3
>          SSLCACertificateFile /etc/apache2/ssl/caCerts.pem
>          DocumentRoot /var/www/
> </VirtualHost>
> 
> Now, if I put this section before the squirrelmail, it asks 
> me for the 
> certificate even though I point to the squirrelmail, while if 
> the latter is 
> the second section, I can access everything without any 
> certificate. It 
> sounds like if does not discriminate between client cert and 
> no client 
> certificate, it only understand the method invoked in the 
> first virtual host.
> Do you have any ideas ?
> 
> Ciao and thank you.
> Merry Chistmas.
> Yours Ezio.
> 
> Ezio Paglia
> Sistemi e Database
> Servizi Informatici (SED)
> Comune di Grosseto
> Ufficio : +39-0564-488706 Fax : +39-0564-21139 Cellulare : 
> +39-320-7984950
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux