On Tue, Apr 15, 2008 at 1:56 PM, Shakti <corewafer@xxxxxxxxxxxx> wrote: > Hi, > > I am new to the apache and need help with ssl authentication. I have > compiled apache2 on Mac OS X. Configured it with basic authentication and > that worked fine. I enabled ssl and that worked fine. Then I generated > certificates for the server and clients, installed certificates in client's > browsers and that worked OK too. > > Then I tried to combine certificate authentication with basic > authentication and that is were I run into a problem. I am not sure if that > is possible to do? When I do that I get normal prompt form the server to > accept the certificate, them the user name and password prompt. I type the > user name and password, but then it comes again and again and prompts me for > the user name and password over and over again. > > When I do not use client certificate, then typing the user name and > password works fine. Here is the section in httpd-ssl.conf where I am > experimenting > > <Directory "/usr/local/apache2/htdocs"> > Options Indexes FollowSymLinks MultiViews > SSLVerifyClient require > SSLVerifyDepth 1 > SSLCACertificatePath "conf/certs" > SSLCACertificateFile "conf/certs/cwsca.crt" > > AuthType Basic > AuthName "CoreWafer" > AuthUserFile /usr/local/apache2/conf/passwd/passwords > AuthGroupFile /usr/local/apache2/conf/passwd/groups > Require group CoreWafer > > Order allow,deny > Allow from all > </Directory> > > If I disable: > > SSLVerifyClient require > SSLVerifyDepth 1 > SSLCACertificatePath "conf/certs" > SSLCACertificateFile "conf/certs/cwsca.crt" > > then prompting for user name and password works fine. If I disable: > > AuthType Basic > AuthName "CoreWafer" > AuthUserFile /usr/local/apache2/conf/passwd/passwords > AuthGroupFile /usr/local/apache2/conf/passwd/groups > Require group CoreWafer > > then using the client certificate works fine. It is when I try to use both, > that is the client certificate and the password when I get into trouble. I'm not an expert in this stuff, but I'd suggest 1. Move SSLVerifyDepth out of the <Directory> section. According to the docs, this will force a renegotiation when placed there. (And you are just repeating the default anyway, so you can probably remove it entirely.) 2. Tell us what the error log says and what you are seeing in the access log. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|