I have a port 80, non-SSL site created for my family which has user
authentication configured as follows in access.conf:
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /usr/local/apache/etc/athorized-users
require valid-user
I have just installed installed Apache mith mod-ssl which I find a great
improvement over Apache-SSL in terms of ease of use.
My question is this.
I set up a virtual server on port 443 for the above referenced site, using
the same lines from access.conf on both the port 80 and the port 443 servers.
It appears as if the user-authentication dialog takes place using export
grade RC4 and MD5 encryption even though the browser doesn't show a "lock
or key" secure symbol while the user-name and password authentication box
ispresented on the screen. I suspect this from examining the following
lines from the ssl_request_log:
[11/Dec/1998:17:15:00 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET /
HTTP/1.0" 474
[11/Dec/1998:17:15:24 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET /
HTTP/1.0" 2308
[11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET
/_derived/index.html_cmp_global100_bnr.gif HTTP/1.0" 3593
[11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET
/_themes/global/glotextb.gif HTTP/1.0" 181
The first line from the log (above) is written to the log as the user-name
and password dialogue box is presented to the browser. The remaining lines
appear in the log after the user has entered their user-name and password,
and the index page is retreived from the server. The "secure" synbol
appears in the browser window at this point.
Am I correct in assuming that the username and password which the user
enters are encrypted in transmission?
Thank you and regards,
Bruce
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
