Making SSLVerifyClient optional using mod_rewrite and Alias?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone,

Here's the challenge I'm trying to solve. I'd like to use the SSLVerifyClient directive to offer better security to users who know about client certificates, but only for users who opt in to the extra security.

To make matters more difficult, I'd like to use the same URLs for my pages regardless of whether they're using client certificates or not.

How would you accomplish this?

I know the first thing everybody is going to think is "If you want it to be optional, just use 'SSLVerifyClient optional_no_ca'", but that runs the risk of the user being *asked* for their cert, even if they have no idea what a client cert is. Sure, they can just hit cancel and get in, but it looks like a bug to people who don't know better.

I've managed to hack together this little work-around, and it works! But I'm not sure it's a good idea:

RewriteCond %{HTTP_COOKIE} cert=opt
RewriteRule ^/(.*) /certopt/$1 [NS,PT]

	<Location /certopt>
	SSLVerifyClient optional_no_ca
	SSLOptions +StdEnvVars +ExportCertData
	</Location>

Alias /certopt C:/Projects/website

(In the example I'm using a cookie to change whether or not I'm using the extra verification, under the assumption that the final PHP code will do proper validation, but I could use any method mod_rewrite supports.)

So basically, I'm using one method of rewriting the URL (mod_rewrite) so I can pick up the extra SSL directives, then I'm using a *different* method of URL rewriting (alias) to return the URL to its original state.

Only thing is, I'm not 100% certain that this is actually *supposed* to work. Can I rely on this working in future versions? Is it a terrible idea? Is there a better way to do it? Am I going to be forced to learn the inner workings of mod_ssl and write a patch if I want this feature?

Thanks,

-Rick-

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux