Creating an exception for SSLVerifyClient requires

Question

Creating an exception for SSLVerifyClient requires

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine enabled. All urls have SSLVerifyClient require , and this works fine.

I want to make an exception for a specific URL ( /ca.crt ) so that my clients can download the CA certificate with which they are signed. I try the following:

 SSLVerifyClient require Alias /ca.crt /my/ssl/certs/ca.crt <Location /ca.crt> SSLVerifyClient none </Location>

My problem is that Apache seems to want to increase the strength of the SSL client certificate requirements. If I flip these two requirements, it works as directed. Since it is configured above, Apache effectively ignores the SSLVerifyClient none directive.

What's happening? This is mistake?

+4

ssl apache2

sjr Feb 16 '11 at 7:26

source share

1 answer

sjr · Accepted Answer · 2011-02-16T07:57:35+0000

Well, it turns out that the answer to this question is contained in the documentation (as it usually happens!)

In the context of each server, the [SSLVerifyClient directive] applies to the client authentication process in the standard SSL handshake when the connection is established.

Basically, the first SSLVerifyClient directive was in context for each server. I made an explicit <Directory> declaration for the root directory and placed the SSLClientVerify require directive there. It did the trick.

Creating an exception for SSLVerifyClient requires

More articles: