Thanks - I turned it on for each vhost and it doesn't appear to cause any 
issue. From what you included about SSLVerify, does it mean that option is 
required for SSLVerifyClient to work properly?

Karl

On Monday, November 25, 2013 4:46:33 AM UTC-5, pdpinfo wrote:
>
> Hi,
>
> I'm glad to hear good news,
> and congrats because the setup is a bit tricky.
> I noticed you enabled "SSLProxyMachineCertificateFile". I think that now 
> the next step would be to enable "mandatory certificate checking" on 
> puppetmaster_host of remote_proxy_host certificate.
> I will try this configuration in the next future.
> I guess it will need:
>
>
> *SSLVerifyClient require*
>
> and some variable checking;i.e. a compound expression, maybe working as the 
> following:
> *SSLRequire *(( ( %{SSL_CLIENT_S_DN_Email} in {"al...@example.com 
> <javascript:>"} ) or ( %{SSL_CLIENT_S_DN_Email} in {"ali...@example.com 
> <javascript:>"}) ) and ( %{SSL_CLIENT_V_REMAIN} > 0 ) and (( 
> %{SSL_CLIENT_I_DN_CN} in {"CA Cert Signing Authority"}) or ( 
> %{SSL_CLIENT_I_DN_CN} in {"CAcert Class 3 Root"}) ))
> or at a minimum checking the client CN.
>
> Let me know,
>
> regards
>
> Paolo
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b3776a41-87fa-4a74-aad6-27ff63b73927%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to