You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/08/30 11:18:32 UTC
DO NOT REPLY [Bug 12355] -
SSLVerifyClient directive in location make post to PHP script impossible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=12355>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=12355
------- Additional Comments From yefym.dmukh@gmail.com 2005-08-30 11:17 -------
(In reply to comment #34)
> "SSLVerifyClient optional" seems also safe.
> Is "SSLOptions +OptRenegotiate" really needed, or is it an optimisation ?
> Is it totally safe ? The doc states to use this carefully.
The workaround explained above is not safe at least for apache 2.0.52.
"
RE: [users@httpd] Bug or Feature : global SSLVerifyClient in <VirtualHost>
overrides the same in <Location>?
Simple test scenario is :
1. access document root location - "SSLVerifyClient optional" , cancel
certificate choice window.
2. access location <Location "/auth"> with "SSLVerifyClient require" - no
triggered SSL negotiation - access without certificate granted.
Correct should be the following behaviour, but there is no re-negotiation:
>SSLVerifyClient is documented as working in directory context, so it should
also work in <Location> context. The manual page for mod_ssl does
>explicitly say that a SSL renegotiation is triggered if a request for the
location is received.
config sample:
<VirtualHost>
SSLVerifyClient optional
Alias /auth /htdocs/access
<Location "/access">
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate
SSLVerifyDepth 5
Options None
</Location>
</VirtualHost>
"
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org