DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=12355>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=12355 ------- Additional Comments From [EMAIL PROTECTED] 2005-08-30 11:17 ------- (In reply to comment #34) > "SSLVerifyClient optional" seems also safe. > Is "SSLOptions +OptRenegotiate" really needed, or is it an optimisation ? > Is it totally safe ? The doc states to use this carefully. The workaround explained above is not safe at least for apache 2.0.52. " RE: [EMAIL PROTECTED] Bug or Feature : global SSLVerifyClient in <VirtualHost> overrides the same in <Location>? Simple test scenario is : 1. access document root location - "SSLVerifyClient optional" , cancel certificate choice window. 2. access location <Location "/auth"> with "SSLVerifyClient require" - no triggered SSL negotiation - access without certificate granted. Correct should be the following behaviour, but there is no re-negotiation: >SSLVerifyClient is documented as working in directory context, so it should also work in <Location> context. The manual page for mod_ssl does >explicitly say that a SSL renegotiation is triggered if a request for the location is received. config sample: <VirtualHost> SSLVerifyClient optional Alias /auth /htdocs/access <Location "/access"> SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate SSLVerifyDepth 5 Options None </Location> </VirtualHost> " -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
