You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2005/01/28 17:24:59 UTC
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in /httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
On Fri, Jan 28, 2005 at 02:40:38PM -0000, geoff@apache.org wrote:
> +
> + # specific to 2.1
> + <IfModule mod_authn_anon.c>
> + <IfModule mod_auth_basic.c>
> + <Location /ssl-fakebasicauth2>
> + SSLVerifyClient require
> + SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> + SSLOptions +FakeBasicAuth +StdEnvVars
Did you mean SSLVerifyClient optional? Otherwise the SSLRequire is
surely redundant?
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in
/httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> Geoff, removing the SSLRequire line is right, it
> doesn't really matter though...
ok, done. thanks for the input.
--Geoff
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in /httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Jan 28, 2005 at 05:22:28PM +0000, Joe Orton wrote:
> On Fri, Jan 28, 2005 at 06:03:14PM +0100, Dominique Quatravaux wrote:
> > Geoffrey Young wrote:
> >
> > |
> > | so, are you saying that can remove SSLVerifyClient here and all is
> > | ok?
> >
> > No no, you're right and Joe was wrong, you must not change a thing.
> > Sorry for being unclear!
>
> I think you're confused about the difference between SSLVerifyClient
> "optional" and "require"
...he says...
> : both insist on a new handshake, both send the
> client a CertificateRequest message, but the former will fail the SSL
> handshake if no cert is presented; the latter will not.
...and then explains it backwards - exchange "former" and "latter" in
that sentence...
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in /httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Jan 28, 2005 at 06:03:14PM +0100, Dominique Quatravaux wrote:
> Geoffrey Young wrote:
>
> |
> | so, are you saying that can remove SSLVerifyClient here and all is
> | ok?
>
> No no, you're right and Joe was wrong, you must not change a thing.
> Sorry for being unclear!
I think you're confused about the difference between SSLVerifyClient
"optional" and "require": both insist on a new handshake, both send the
client a CertificateRequest message, but the former will fail the SSL
handshake if no cert is presented; the latter will not. So doing an
SSLRequire check for %{SSL_VERIFY_CLIENT} after using "SSLVerifyClient
require" is redundant. Geoff, removing the SSLRequire line is right, it
doesn't really matter though...
joe
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in
/httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Dominique Quatravaux <do...@idealx.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Geoffrey Young wrote:
|
| so, are you saying that can remove SSLVerifyClient here and all is
| ok?
No no, you're right and Joe was wrong, you must not change a thing.
Sorry for being unclear!
- --
Dominique QUATRAVAUX Ingénieur senior
01 44 42 00 08 IDEALX
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB+nBSMJAKAU3mjcsRAs2kAJ0UnznAggzN0IaBnA8sb+zAIbHNhQCgtKx2
soBw8BtkZf4UfJp9c7M3Ltc=
=VIp9
-----END PGP SIGNATURE-----
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in
/httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> So Geoff is saying, "you must try" and at the next line "you must also
> succeed". With SSLVerifyClient optional, the semantics would be
> instead "Don't bother to insist for a certificate", "but if user
> forgot it, give him flaming death". Considered inappropriate :-)
i'm no expert here - I took the SSLRequire line from the test case on
httpd-dev, while all the other tests use SSLVerifyClient so I kept it
without really understanding things at all.
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110685418427430&w=2
so, are you saying that can remove SSLVerifyClient here and all is ok? all
I wanted was to exercise FakeBasicAuth + mod_auth_anon.
--Geoff
Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in
/httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Posted by Dominique Quatravaux <do...@idealx.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Orton wrote:
| On Fri, Jan 28, 2005 at 02:40:38PM -0000, geoff@apache.org wrote:
|
|> [...]
|> + SSLVerifyClient require +
|> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" [...]
|
|
| Did you mean SSLVerifyClient optional? Otherwise the SSLRequire is
| surely redundant?
Actually, "SSLVerifyClient" means whether to *attempt* to validate the
peer certificate by sending appropriate handshake messages at the SSL
level, renegotiating mid-HTTP-request if need be e.g. because we are
in a <Location> directive.
So Geoff is saying, "you must try" and at the next line "you must also
succeed". With SSLVerifyClient optional, the semantics would be
instead "Don't bother to insist for a certificate", "but if user
forgot it, give him flaming death". Considered inappropriate :-)
- --
Dominique QUATRAVAUX Ingénieur senior
01 44 42 00 08 IDEALX
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB+mt3MJAKAU3mjcsRAoKlAJ9RjjRgWAYaiIzV55v75mI58MqGuwCgtJLc
JDNVhbtok5mGUXlTIuwn/RQ=
=UbWC
-----END PGP SIGNATURE-----