Hi Oliver,
I believe the directives you refer to are for the server establishing an SSL connection. This occurs successfully (other then the cert being for an incorrect host which I will fix later). As you suggested this is in my global configuration that I haven't provided.
To summerise, traffic is being encrypted, but client authentication is being ignored.
Cheers,
Tony
On Thu, Mar 02, 2006 at 09:12:49AM +0100, Oliver.Schaudt@xxxxxxxxx wrote:
> Hi Tony,
>
> if you want run SSL my understanding is
> that your server need a certificate and
> a key file too or do you have it at another place ?
> Like:
> SSLCertificateFile /path/to/conf/ssl.crt/subversion2.phoenixphire.org.crt
> SSLCertificateKeyFile /path/to/conf/ssl.key/subversion2.phoenixphire.org.key
> Than it would be better not to put your key and
> crtificate files in the document root. Make this too:
> SSLCertificateFile /path/to/conf/ssl.crt/ca.crt
> "LogLevel debug" can help you later that you see what is going wrong
> during the connection phase between your client and your server
>
> Greets
>
> oliver
>
>
> -----Urspr?ngliche Nachricht-----
> Von: Tony Davies [mailto:tony.davies@xxxxxxxxxxxxxxxx]
> Gesendet: Do 02.03.2006 00:59
> An: users@xxxxxxxxxxxxxxxx
> Betreff: [users@httpd] SSLVerifyClient require in Virtual Host
>
> Hi,
>
> I am running Apache 2.0.55 on a Linux From Scratch box.
>
> I am trying to get an entire virtual host to get an entire virtual host to use client certificates to authenticate, however I can only get it to work on <Location /> directive (I havent tried <Directory>) which forces a renogiate.
>
> This is fine for things like Firefox which can handle the renogiation, however I plan on turning this virtual host into a subversion repository and havent been able to get renogiation to work with the svn client or javasvn (but that is a whole other problem).
>
> The subversion2.phoenixphire.org-ssl.log verifies that a client certificate isnt being sent with my configuration. After running some tests with SSLVerifyClient require in a <Location /> directive I can verify that firefox does send a client certificat after a renogiation.
>
> Is this a bug? The Apache 2.0 documentation says that this is valid and should work (The howto on the apache site for this also says this should work).
>
> Cheers,
>
> Phoenix
>
> My virtual host config is as follows:
>
> <VirtualHost *:443>
> ServerName subversion2.phoenixphire.org
> DocumentRoot /srv/www/subversion2.phoenixphire.org
>
> ErrorLog /var/log/apache/subversion2.phoenixphire.org-error.log
> CustomLog /var/log/apache/subversion2.phoenixphire.org-access.log common
> CustomLog /var/log/apache/subversion2.phoenixphire.org-ssl.log "%t %{SSL_CLIENT_I_DN_CN}x %{SSL_CLIENT_S_DN_CN}x"
>
> SSLCACertificateFile /srv/www/ca.crt
> SSLVerifyClient require
> SSLVerifyDepth 1
>
> SSLOptions +StrictRequire
>
> </VirtualHost>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|