-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,Actually I think that this may be a browser issue. Not apache, but the browser is asking which client certificate you want to present to the server. I know that in Firefox there's an option which lets you either always ask the user, or always present the same 1 client certificate. So... it may be that this isn't related to the URI, but just to the interaction between server and browser.
Karel On Feb 11, 2009, at 2:10 PM, Eric Covener wrote:
On Tue, Feb 10, 2009 at 11:43 PM, - - <jensiragh@xxxxxxxxxx> wrote:Hi,I am recently set-up an environment for testing client certificate based authentication on an apache webserver. The test environment is a recent Ubuntu 8.10 distro with tinyca2 0.7.5 and apache 2.2.9. I have setup a test root CA, two certificates signed by this CA: One for the webserver and one for the user.Everything done by tinyca2. First I configured apache to allow onlyssl-connections (no client certificates yet): Everything worked so far: /var/www is only accessible via https. Now I added a new subdirectory /var/ www/secret with a dummy index.html which should only be accessible by users which provide acertificate. So I added this to my sites-enabled/foo.conf: ... SSLVerifyClient none ... SSLVerifyClient require SSLVerifyDepth 2 SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_CN} eq "My name in CN of certificate" ) What I expected was: outside of /var/www/secret (i.e. in /var/www or /var/www/public) documents are accessible by everyone, only inside of /var/www/secret a user needs to provide his certificate.What I got was: apache asks for the users certificate no matter which documentis reqested (i.e. inside AND outside of /var/www/secret).Can you post your verbatim configuration? The operative context isn't really shown. -- Eric Covener covener@xxxxxxxxx ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
- -- Best regards / met vriendelijke groet, Karel Kubat Mob +31 6 2956 4861 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkmS2VwACgkQ23FrzRzybNWSFACg/PzprhfGZzW9trfPVpuYS3B6 we0AnjDMfyd1rXgaOH0Xnt1c/kzXpz/6 =fPCJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|