-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Actually I think that this may be a browser issue. Not apache, but the
browser is asking which client certificate you want to present to the
server. I know that in Firefox there's an option which lets you either
always ask the user, or always present the same 1 client certificate.
So... it may be that this isn't related to the URI, but just to the
interaction between server and browser.
Karel
On Feb 11, 2009, at 2:10 PM, Eric Covener wrote:
On Tue, Feb 10, 2009 at 11:43 PM, - - <jensir...@hotmail.de> wrote:
Hi,
I am recently set-up an environment for testing client certificate
based
authentication on an apache webserver. The test environment is a
recent Ubuntu
8.10 distro with tinyca2 0.7.5 and apache 2.2.9. I have setup a
test root CA,
two certificates signed by this CA: One for the webserver and one
for the user.
Everything done by tinyca2. First I configured apache to allow only
ssl-connections (no client certificates yet): Everything worked so
far: /var/www
is only accessible via https. Now I added a new subdirectory /var/
www/secret
with a dummy index.html which should only be accessible by users
which provide a
certificate. So I added this to my sites-enabled/foo.conf:
...
SSLVerifyClient none
...
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_CN} eq "My name in CN of certificate" )
What I expected was: outside of /var/www/secret (i.e. in /var/www or
/var/www/public) documents are accessible by everyone, only inside of
/var/www/secret a user needs to provide his certificate.
What I got was: apache asks for the users certificate no matter
which document
is reqested (i.e. inside AND outside of /var/www/secret).
Can you post your verbatim configuration? The operative context isn't
really shown.
--
Eric Covener
cove...@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
- --
Best regards / met vriendelijke groet, Karel Kubat
Mob +31 6 2956 4861
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkmS2VwACgkQ23FrzRzybNWSFACg/PzprhfGZzW9trfPVpuYS3B6
we0AnjDMfyd1rXgaOH0Xnt1c/kzXpz/6
=fPCJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
