I would also say post the verbatim config. The way it looks currently is that you have the sslverifyclient and sslrequire in the whole site/vhost config, when you probably should put it in a <Directory "/var/www/secret"> directive. -Tony --------------------------- Manager, IT Operations Format Dynamics, Inc. 303-573-1800x27 abiacco@xxxxxxxxxxxxxxxxxx http://www.formatdynamics.com -----Original Message----- From: Karel Kubat [mailto:karel@xxxxxxxxxxxx] Sent: Wednesday, February 11, 2009 6:58 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: user certificates with apache -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Actually I think that this may be a browser issue. Not apache, but the browser is asking which client certificate you want to present to the server. I know that in Firefox there's an option which lets you either always ask the user, or always present the same 1 client certificate. So... it may be that this isn't related to the URI, but just to the interaction between server and browser. Karel On Feb 11, 2009, at 2:10 PM, Eric Covener wrote: > On Tue, Feb 10, 2009 at 11:43 PM, - - <jensiragh@xxxxxxxxxx> wrote: >> >> Hi, >> >> I am recently set-up an environment for testing client certificate >> based >> authentication on an apache webserver. The test environment is a >> recent Ubuntu >> 8.10 distro with tinyca2 0.7.5 and apache 2.2.9. I have setup a >> test root CA, >> two certificates signed by this CA: One for the webserver and one >> for the user. >> Everything done by tinyca2. First I configured apache to allow only >> ssl-connections (no client certificates yet): Everything worked so >> far: /var/www >> is only accessible via https. Now I added a new subdirectory /var/ >> www/secret >> with a dummy index.html which should only be accessible by users >> which provide a >> certificate. So I added this to my sites-enabled/foo.conf: >> >> ... >> SSLVerifyClient none >> ... >> >> SSLVerifyClient require >> SSLVerifyDepth 2 >> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ >> and %{SSL_CLIENT_S_DN_CN} eq "My name in CN of certificate" ) >> >> >> What I expected was: outside of /var/www/secret (i.e. in /var/www or >> /var/www/public) documents are accessible by everyone, only inside of >> /var/www/secret a user needs to provide his certificate. >> What I got was: apache asks for the users certificate no matter >> which document >> is reqested (i.e. inside AND outside of /var/www/secret). >> > > Can you post your verbatim configuration? The operative context isn't > really shown. > > -- > Eric Covener > covener@xxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > - -- Best regards / met vriendelijke groet, Karel Kubat Mob +31 6 2956 4861 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkmS2VwACgkQ23FrzRzybNWSFACg/PzprhfGZzW9trfPVpuYS3B6 we0AnjDMfyd1rXgaOH0Xnt1c/kzXpz/6 =fPCJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx