DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911 ------- Additional Comments From [EMAIL PROTECTED] 2007-03-26 18:07 ------- Yes, If I access the /test/subdir using "DE" client certificate, I get 403. ------------------------------------------- [/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem -E certs/client2.pem:password --dump-header - -o - https://lbasantk3.red.iplanet.com:4005/test/subdir/ HTTP/1.1 403 Forbidden Date: Tue, 27 Mar 2007 00:39:18 GMT Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2 Content-Length: 214 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /test/subdir/ on this server.</p> </body></html> ------------------------------------------- In error log, I see [Mon Mar 26 17:39:18 2007] [info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US" [Mon Mar 26 17:39:18 2007] [error] [client 192.18.120.216] access to /disk/apache/apache2/htdocs/test/subdir/ failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Probably regular expression can help you e.g. <Directory ~ "/disk/apache/apache2/htdocs/test$"> ... SSLRequire %{SSL_CLIENT_S_DN_C} eq "US" </Directory> I believe you certainly can write a special module which can be used to check the URI and make such requirements. >Maybe it should be an >enhancement request to allow the possibility to turn off or override >the "directory cascade" ? Turning off the "directory cascade" is not intuitive and may be considered a big security hole. Unix OS provides a file system and doesn't provide any way to set this to off (afaik). Also I believe, you can achieve your target by redisigning the files/directory and place various constraints e.g /test : provide constraint like %{SSL_CLIENT_S_DN_C} eq "US" or eq "DE" /test/files_US : if accessibly by client %{SSL_CLIENT_S_DN_C} eq "US" /test/files_DE : if accessibly by client %{SSL_CLIENT_S_DN_C} eq "DE" Should we close this bug as "Invalid"? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
