You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/08/30 11:18:32 UTC

DO NOT REPLY [Bug 12355] - SSLVerifyClient directive in location make post to PHP script impossible

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=12355>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=12355





------- Additional Comments From yefym.dmukh@gmail.com  2005-08-30 11:17 -------
(In reply to comment #34)
> "SSLVerifyClient optional" seems also safe.
> Is "SSLOptions +OptRenegotiate" really needed, or is it an optimisation ?
> Is it totally safe ? The doc states to use this carefully.


The workaround explained above is not safe at least for apache 2.0.52.
"
RE: [users@httpd] Bug or Feature : global SSLVerifyClient in <VirtualHost>
overrides the same in  <Location>?

Simple test scenario is :
1. access document root location - "SSLVerifyClient optional" ,  cancel
certificate choice window.
2. access location <Location "/auth"> with  "SSLVerifyClient require" - no
triggered SSL negotiation - access without certificate granted.

Correct should be the following behaviour, but there is no re-negotiation:
>SSLVerifyClient is documented as working in directory context, so it should
also work in <Location> context. The manual page for mod_ssl does 
>explicitly say that a SSL renegotiation is triggered if a request for the
location is received.
 

config sample:

<VirtualHost> 
SSLVerifyClient optional 

Alias /auth   /htdocs/access 
<Location "/access"> 
SSLVerifyClient require 
SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate
SSLVerifyDepth 5 
Options None 
</Location> 

</VirtualHost> 

"







-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org