SSLVerifyClient applies to parent directory

permalink · #1 (**permalink**) 06-26-2008

Hi!

First of all: Thanks for your great software, I've used it on several
server and it proved to be very useful.

I have a little problem with the SSLVerifyClient directive on apache
2.2.9 with mod_ssl compiled from source on debian etch. I have the
following directory layout:

/usr/local/htdocs/directory/subdirectory

and the following configuration options (besides the defaults) in
httpd.conf:

Listen 443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"
</VirtualHost>

<Directory /usr/local/htdocs/directory/subdirectory>
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>

The problem is that apache denies access to:
https//MYSERVER/directory

as long as I don't present a valid client certificate.

People on freenode #apache were not able to help, therefore I'm asking
here before filing a bug report.

Thanks in advance,
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

permalink · #2 (**permalink**) 06-26-2008

Florian Hackenberger a écrit :
> Hi!
>
> First of all: Thanks for your great software, I've used it on several
> server and it proved to be very useful.
>
> I have a little problem with the SSLVerifyClient directive on apache
> 2.2.9 with mod_ssl compiled from source on debian etch. I have the
> following directory layout:
>
> /usr/local/htdocs/directory/subdirectory
>
> and the following configuration options (besides the defaults) in
> httpd.conf:
>
> Listen 443
> <VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
> DocumentRoot "/usr/local/htdocs"
> </VirtualHost>
>
> <Directory /usr/local/htdocs/directory/subdirectory>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Directory>
>
>

Maybe try this:

Listen 443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"

<Location /directory/subdirectory>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
</VirtualHost>

--
Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet.
Gilles CUESTA - Logiciels Libres
69139920

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIY718545quQSHen8RArftAJ0SrDbOGVTG2yilwczEgG ZXrbfg4wCfekuA
iJPnjUVjiBlJKxR617zySpA=
=Davj
-----END PGP SIGNATURE-----

permalink · #3 (**permalink**) 06-26-2008

On Thursday 26 June 2008, Cuesta Gilles wrote:
> Maybe try this:
>
> Listen 443
> <VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
> DocumentRoot "/usr/local/htdocs"
>
> <Location /directory/subdirectory>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Location>
> </VirtualHost>

Unfortunately it leads to the same result, but thanks for the
suggestion.

Cheers,
Florian
--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

permalink · #4 (**permalink**) 06-26-2008

On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
> <Directory /usr/local/htdocs/directory/subdirectory>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Directory>
>
> The problem is that apache denies access to:
> https//MYSERVER/directory

It denies access for what type of request, a directory listing?

joe
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

permalink · #5 (**permalink**) 06-26-2008

On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Yes

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

permalink · #6 (**permalink**) 06-26-2008

Florian Hackenberger a écrit :
> On Thursday 26 June 2008, Cuesta Gilles wrote:
>
>> Maybe try this:
>>
>> Listen 443
>> <VirtualHost *:443>
>> SSLEngine On
>> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
>> DocumentRoot "/usr/local/htdocs"
>>
>> <Location /directory/subdirectory>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>> </Location>
>> </VirtualHost>
>>
>
> Unfortunately it leads to the same result, but thanks for the
> suggestion.
>
>
Regarding mod_ssl:
"In per-server context it applies to the client authentication process
used in the standard SSL handshake when a connection is established. "
"In per-directory context it forces a SSL renegotation with the
reconfigured client verification level after the HTTP request was read
but before the HTTP response is sent."

So maybe:

Listen 443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"

<Directory /usr/local/htdocs/directory/subdirectory>
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
</VirtualHost>

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode