RE: user certificates with apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would also say post the verbatim config.
The way it looks currently is that you have the sslverifyclient and
sslrequire in the whole site/vhost config, when you probably should put
it in a <Directory "/var/www/secret"> directive.

-Tony
---------------------------
Manager, IT Operations
Format Dynamics, Inc.
303-573-1800x27
abiacco@xxxxxxxxxxxxxxxxxx
http://www.formatdynamics.com


-----Original Message-----
From: Karel Kubat [mailto:karel@xxxxxxxxxxxx] 
Sent: Wednesday, February 11, 2009 6:58 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  user certificates with apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Actually I think that this may be a browser issue. Not apache, but the  
browser is asking which client certificate you want to present to the  
server. I know that in Firefox there's an option which lets you either  
always ask the user, or always present the same 1 client certificate.  
So... it may be that this isn't related to the URI, but just to the  
interaction between server and browser.

Karel

On Feb 11, 2009, at 2:10 PM, Eric Covener wrote:

> On Tue, Feb 10, 2009 at 11:43 PM, - - <jensiragh@xxxxxxxxxx> wrote:
>>
>> Hi,
>>
>> I am recently set-up an environment for testing client certificate  
>> based
>> authentication on an apache webserver. The test environment is a  
>> recent Ubuntu
>> 8.10 distro with tinyca2 0.7.5 and apache 2.2.9. I have setup a  
>> test root CA,
>> two certificates signed by this CA: One for the webserver and one  
>> for the user.
>> Everything done by tinyca2. First I configured apache to allow only
>> ssl-connections (no client certificates yet): Everything worked so  
>> far: /var/www
>> is only accessible via https. Now I added a new subdirectory /var/ 
>> www/secret
>> with a dummy index.html which should only be accessible by users  
>> which provide a
>> certificate. So I added this to my sites-enabled/foo.conf:
>>
>> ...
>> SSLVerifyClient none
>> ...
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 2
>> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>> and %{SSL_CLIENT_S_DN_CN} eq "My name in CN of certificate" )
>>
>>
>> What I expected was: outside of /var/www/secret (i.e. in /var/www or
>> /var/www/public) documents are accessible by everyone, only inside of
>> /var/www/secret a user needs to provide his certificate.
>> What I got was: apache asks for the users certificate no matter  
>> which document
>> is reqested (i.e. inside AND outside of /var/www/secret).
>>
>
> Can you post your verbatim configuration? The operative context isn't
> really shown.
>
> -- 
> Eric Covener
> covener@xxxxxxxxx
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server  
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

- --
Best regards / met vriendelijke groet, Karel Kubat
Mob +31 6 2956 4861



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmS2VwACgkQ23FrzRzybNWSFACg/PzprhfGZzW9trfPVpuYS3B6
we0AnjDMfyd1rXgaOH0Xnt1c/kzXpz/6
=fPCJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux