Thanks - I turned it on for each vhost and it doesn't appear to cause any
issue. From what you included about SSLVerify, does it mean that option is
required for SSLVerifyClient to work properly?
Karl
On Monday, November 25, 2013 4:46:33 AM UTC-5, pdpinfo wrote:
>
> Hi,
>
> I'm glad to hear good news,
> and congrats because the setup is a bit tricky.
> I noticed you enabled "SSLProxyMachineCertificateFile". I think that now
> the next step would be to enable "mandatory certificate checking" on
> puppetmaster_host of remote_proxy_host certificate.
> I will try this configuration in the next future.
> I guess it will need:
>
>
> *SSLVerifyClient require*
>
> and some variable checking;i.e. a compound expression, maybe working as the
> following:
> *SSLRequire *(( ( %{SSL_CLIENT_S_DN_Email} in {"al...@example.com
> <javascript:>"} ) or ( %{SSL_CLIENT_S_DN_Email} in {"ali...@example.com
> <javascript:>"}) ) and ( %{SSL_CLIENT_V_REMAIN} > 0 ) and ((
> %{SSL_CLIENT_I_DN_CN} in {"CA Cert Signing Authority"}) or (
> %{SSL_CLIENT_I_DN_CN} in {"CAcert Class 3 Root"}) ))
> or at a minimum checking the client CN.
>
> Let me know,
>
> regards
>
> Paolo
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/b3776a41-87fa-4a74-aad6-27ff63b73927%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
