SSLVerifyClient applies to parent directory - modssl

This is a discussion on SSLVerifyClient applies to parent directory - modssl ; Hi! First of all: Thanks for your great software, I've used it on several server and it proved to be very useful. I have a little problem with the SSLVerifyClient directive on apache 2.2.9 with mod_ssl compiled from source on ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: SSLVerifyClient applies to parent directory

  1. SSLVerifyClient applies to parent directory

    Hi!

    First of all: Thanks for your great software, I've used it on several
    server and it proved to be very useful.

    I have a little problem with the SSLVerifyClient directive on apache
    2.2.9 with mod_ssl compiled from source on debian etch. I have the
    following directory layout:

    /usr/local/htdocs/directory/subdirectory

    and the following configuration options (besides the defaults) in
    httpd.conf:

    Listen 443

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    DocumentRoot "/usr/local/htdocs"



    SSLVerifyClient require
    SSLVerifyDepth 1


    The problem is that apache denies access to:
    https//MYSERVER/directory

    as long as I don't present a valid client certificate.

    People on freenode #apache were not able to help, therefore I'm asking
    here before filing a bug report.

    Thanks in advance,
    Florian

    --
    DI Florian Hackenberger
    florian@hackenberger.at
    www.hackenberger.at
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  2. Re: SSLVerifyClient applies to parent directory

    Florian Hackenberger a écrit :
    > Hi!
    >
    > First of all: Thanks for your great software, I've used it on several
    > server and it proved to be very useful.
    >
    > I have a little problem with the SSLVerifyClient directive on apache
    > 2.2.9 with mod_ssl compiled from source on debian etch. I have the
    > following directory layout:
    >
    > /usr/local/htdocs/directory/subdirectory
    >
    > and the following configuration options (besides the defaults) in
    > httpd.conf:
    >
    > Listen 443
    >
    > SSLEngine On
    > SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    > DocumentRoot "/usr/local/htdocs"
    >

    >
    >
    > SSLVerifyClient require
    > SSLVerifyDepth 1
    >

    >
    >


    Maybe try this:

    Listen 443

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    DocumentRoot "/usr/local/htdocs"


    SSLVerifyClient require
    SSLVerifyDepth 1



    --
    Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet.
    Gilles CUESTA - Logiciels Libres
    69139920



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIY718545quQSHen8RArftAJ0SrDbOGVTG2yilwczEgG ZXrbfg4wCfekuA
    iJPnjUVjiBlJKxR617zySpA=
    =Davj
    -----END PGP SIGNATURE-----


  3. Re: SSLVerifyClient applies to parent directory

    On Thursday 26 June 2008, Cuesta Gilles wrote:
    > Maybe try this:
    >
    > Listen 443
    >
    > SSLEngine On
    > SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    > DocumentRoot "/usr/local/htdocs"
    >
    >
    > SSLVerifyClient require
    > SSLVerifyDepth 1
    >

    >


    Unfortunately it leads to the same result, but thanks for the
    suggestion.

    Cheers,
    Florian
    --
    DI Florian Hackenberger
    florian@hackenberger.at
    www.hackenberger.at
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  4. Re: SSLVerifyClient applies to parent directory

    On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
    >
    > SSLVerifyClient require
    > SSLVerifyDepth 1
    >

    >
    > The problem is that apache denies access to:
    > https//MYSERVER/directory


    It denies access for what type of request, a directory listing?

    joe
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  5. Re: SSLVerifyClient applies to parent directory

    On Thursday 26 June 2008, Joe Orton wrote:
    > It denies access for what type of request, a directory listing?

    Yes


    --
    DI Florian Hackenberger
    florian@hackenberger.at
    www.hackenberger.at
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  6. Re: SSLVerifyClient applies to parent directory

    Florian Hackenberger a écrit :
    > On Thursday 26 June 2008, Cuesta Gilles wrote:
    >
    >> Maybe try this:
    >>
    >> Listen 443
    >>
    >> SSLEngine On
    >> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    >> DocumentRoot "/usr/local/htdocs"
    >>
    >>
    >> SSLVerifyClient require
    >> SSLVerifyDepth 1
    >>

    >>

    >>

    >
    > Unfortunately it leads to the same result, but thanks for the
    > suggestion.
    >
    >

    Regarding mod_ssl:
    "In per-server context it applies to the client authentication process
    used in the standard SSL handshake when a connection is established. "
    "In per-directory context it forces a SSL renegotation with the
    reconfigured client verification level after the HTTP request was read
    but before the HTTP response is sent."

    So maybe:

    Listen 443

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
    DocumentRoot "/usr/local/htdocs"


    SSLVerifyClient require
    SSLVerifyDepth 1



    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


+ Reply to Thread