You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Benjamin Cuthbert <be...@db.com> on 2006/11/08 16:38:40 UTC

[users@httpd] client side certificates authentication in virtual hosts

All

Can you run two SSL virtual host URLS on the same IP address and have one 
running with no client certificate authentication and one running without 
client authentication. I have tried it and the options

         SSLVerifyClient require
        SSLVerifyDepth 1

But when this is enabled on one of the virtual hosts it takes out the 
other virtual host and i am unable to connect.

Regards

Ben Cuthbert
Deutsche Bank AG
Corporate & Investment Bank
GTO : TISO / Arch Global Finance / Prime Services
PGP: http://pgp.mit.edu
+44 (0) 20 754 76389 (Tel)
+44 (0) 20 754 74996 (Fax)

---

This e-mail may contain confidential and/or privileged information. If you 
are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

Re: [users@httpd] client side certificates authentication in virtual hosts

Posted by Serge Dubrouski <se...@gmail.com>.
On 11/8/06, Benjamin Cuthbert <be...@db.com> wrote:
>
>
> They does not sound like such a good idea, what if i bound the new virtual
> host to a new IP address would i then be able to
> run both in different modes ?


That sounds much better. And you will be able to have different Server
certificates and different Client Verification modes for them.

On 11/8/06, Benjamin Cuthbert <be...@db.com> wrote:
> >
> > All
> >
> > Can you run two SSL virtual host URLS on the same IP address and have
> one
> > running with no client certificate authentication and one running
> without
>
> It's possible if having one VirtualHost complaining about wrong Server
> Certificate is applicable for you, which I really doubt.
>
> > client authentication. I have tried it and the options
> >
> >          SSLVerifyClient require
> >         SSLVerifyDepth 1
> >
> > But when this is enabled on one of the virtual hosts it takes out the
> other
> > virtual host and i am unable to connect.
>
> Most probably you configure both for your VH with the same name. In
> this case one of hosts ignored and you always hit the same VH. Or you
> have some kind of other mistake in your config. It would be good to
> take a look on how you configured them.
>
> >
> >  Regards
> >
> >  Ben Cuthbert
> >  Deutsche Bank AG
> >  Corporate & Investment Bank
> >  GTO : TISO / Arch Global Finance / Prime Services
> >  PGP: http://pgp.mit.edu
> >  +44 (0) 20 754 76389 (Tel)
> >  +44 (0) 20 754 74996 (Fax)
> >  ---
> >
> >  This e-mail may contain confidential and/or privileged information. If
> you
> >  are not the intended recipient (or have received this e-mail in error)
> >  please notify the sender immediately and destroy this e-mail. Any
> >  unauthorized copying, disclosure or distribution of the material in
> this
> >  e-mail is strictly forbidden.
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If you
>
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>

Re: [users@httpd] client side certificates authentication in virtual hosts

Posted by Benjamin Cuthbert <be...@db.com>.
They does not sound like such a good idea, what if i bound the new virtual 
host to a new IP address would i then be able to 
run both in different modes ?

Regards

Ben Cuthbert
Deutsche Bank AG
Corporate & Investment Bank
GTO : TISO / Arch Global Finance / Prime Services
PGP: http://pgp.mit.edu
+44 (0) 20 754 76389 (Tel)
+44 (0) 20 754 74996 (Fax)



"Serge Dubrouski" <se...@gmail.com> 
11/08/2006 03:52 PM
Please respond to
users@httpd.apache.org


To
users@httpd.apache.org
cc

Subject
Re: [users@httpd] client side certificates authentication in virtual hosts






On 11/8/06, Benjamin Cuthbert <be...@db.com> wrote:
>
> All
>
> Can you run two SSL virtual host URLS on the same IP address and have 
one
> running with no client certificate authentication and one running 
without

It's possible if having one VirtualHost complaining about wrong Server
Certificate is applicable for you, which I really doubt.

> client authentication. I have tried it and the options
>
>          SSLVerifyClient require
>         SSLVerifyDepth 1
>
> But when this is enabled on one of the virtual hosts it takes out the 
other
> virtual host and i am unable to connect.

Most probably you configure both for your VH with the same name. In
this case one of hosts ignored and you always hit the same VH. Or you
have some kind of other mistake in your config. It would be good to
take a look on how you configured them.

>
>  Regards
>
>  Ben Cuthbert
>  Deutsche Bank AG
>  Corporate & Investment Bank
>  GTO : TISO / Arch Global Finance / Prime Services
>  PGP: http://pgp.mit.edu
>  +44 (0) 20 754 76389 (Tel)
>  +44 (0) 20 754 74996 (Fax)
>  ---
>
>  This e-mail may contain confidential and/or privileged information. If 
you
>  are not the intended recipient (or have received this e-mail in error)
>  please notify the sender immediately and destroy this e-mail. Any
>  unauthorized copying, disclosure or distribution of the material in 
this
>  e-mail is strictly forbidden.
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org





---

This e-mail may contain confidential and/or privileged information. If you 
are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

Re: [users@httpd] client side certificates authentication in virtual hosts

Posted by Serge Dubrouski <se...@gmail.com>.
On 11/8/06, Benjamin Cuthbert <be...@db.com> wrote:
>
> All
>
> Can you run two SSL virtual host URLS on the same IP address and have one
> running with no client certificate authentication and one running without

It's possible if having one VirtualHost complaining about wrong Server
Certificate is applicable for you, which I really doubt.

> client authentication. I have tried it and the options
>
>          SSLVerifyClient require
>         SSLVerifyDepth 1
>
> But when this is enabled on one of the virtual hosts it takes out the other
> virtual host and i am unable to connect.

Most probably you configure both for your VH with the same name. In
this case one of hosts ignored and you always hit the same VH. Or you
have some kind of other mistake in your config. It would be good to
take a look on how you configured them.

>
>  Regards
>
>  Ben Cuthbert
>  Deutsche Bank AG
>  Corporate & Investment Bank
>  GTO : TISO / Arch Global Finance / Prime Services
>  PGP: http://pgp.mit.edu
>  +44 (0) 20 754 76389 (Tel)
>  +44 (0) 20 754 74996 (Fax)
>  ---
>
>  This e-mail may contain confidential and/or privileged information. If you
>  are not the intended recipient (or have received this e-mail in error)
>  please notify the sender immediately and destroy this e-mail. Any
>  unauthorized copying, disclosure or distribution of the material in this
>  e-mail is strictly forbidden.
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] client side certificates authentication in virtual hosts

Posted by Joshua Slive <jo...@slive.ca>.
On 11/8/06, Benjamin Cuthbert <be...@db.com> wrote:
>
> All
>
> Can you run two SSL virtual host URLS on the same IP address and have one
> running with no client certificate authentication and one running without
> client authentication. I have tried it and the options
>
>          SSLVerifyClient require
>         SSLVerifyDepth 1
>
> But when this is enabled on one of the virtual hosts it takes out the other
> virtual host and i am unable to connect.

When using one IP address, you'll likely have the same problem with
the client certificates that you do with the server certificates: the
certificate must be selected before the hostname is known.  So I doubt
this will work.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org