You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Clemens Wyss DEV <cl...@mysign.ch> on 2014/10/02 10:46:45 UTC

[users@httpd] "conditional" client certificate verification

We are about to introduce client certificates for (optional) authentication.

...

SSLOptions +StdEnvVars +ExportCertData

SSLCACertificateFile conf/ssl.crt/ca.crt SSLVerifyClient optional SSLVerifyDepth 4 ...



Unfortunately Safari@mac has "problems" (apparently a bug) connecting to Apache http://serverfault.com/questions/259610/could-not-establish-a-secure-connection-to-server-with-safari



Is there an alternative to the SSLInsecureRenegotiation flag?



What I'd like to do is something like

<If "%{HTTP_USER_AGENT} !~ /Safari/">

  SSLCACertificateFile conf/ssl.crt/ca.crt

  SSLVerifyClient optional

  SSLVerifyDepth 10

</If>



How "insecure" is the SSLInsecureRenegotiation flag?



Any help/advice appreciated

- Clemens