Hi,
there is an error regarding the usage of 'SSLRequire' with 'Satisfy Any'.
In a setup like this:
<VirtualHost ....:443>
SSLVerifyClient optional
SSLVerifyDepth 10
DocumentRoot /home/htdocs
<Directory "/home/htdocs/">
Satisfy Any
SSLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/O=myOrg/OU=myOU/CN=myPKI"
Order deny,allow
Deny from all
Allow from 10.1.1
</Directory>
</VirtualHost>
I was hoping that all users using a certificate matching the specified
SSL_CLIENT_I_DN were able to get access to the server from any IP and
every user not having a certificate has to come from the local network
10.1.1.*!
But it seems to me that the positive check of SSLRequire is just ignored!
(I also tried using 'SSLOptions -StrictRequire' and to use different
orders but both shots doesn't help.)
In ssl_engine_kernel.c I see at the end of function ssl_hook_Access:
/*
* Else access is granted from our point of view (except vendor
* handlers override). But we have to return DECLINED here instead
* of OK, because mod_auth and other modules still might want to
* deny access.
*/
return DECLINED;
Maybe it must be something like "if (ap_satisfies(r) == SATISFY_ANY)
return OK; else return DECLINED;"? (No I didn't tried this!)
Best regards!
Frank
