Hi!
httpd.conf
---------------------------------------------------------------------------------
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
AuthName "Snake Oil Authentication"
AuthType Basic
AuthUserFile /usr/local/apache2/conf/httpd.passwd
require valid-user
</Directory>
---------------------------------------------------------------------------------
httpd.passwd
---------------------------------------------------------------------------------
/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
<my subject DN >:xxj31ZMTZzkVA
---------------------------------------------------------------------------------
But I have one question.
If my SubjectDN is present in the file "httpd.passwd", access is granted, while if the my SubjectDN is not in the "httpd.passwd" file, I am prompted for username and password, as the browser gets a 401 http-status.
I think this is misleading for users, as they are accessing the area with their certificate, and whether somebody has been disabled (i.e. deleted form the httpd.passwd), or has no rights for a defined area, he gets a user-password prompt and the "authorization required" page after "n" attempts, depending on the browser configuration. I know the disabled user won't have access anyway, but I am wondering if there is a way to skip this or to provide a 403 http-status instead of 401.
