On Fri, Mar 24, 2000, folivas wrote:
> I was wondering if mod_ssl can handle the proxy svr as a client to a
> backend web server. In other words, when the proxy svr passes a browser
> request to a backend web server, the backend web server requires a
> client certificate as well as passing the proxy svr it's own server
> certificate. In this scenario, what directive(s) do I use to tell the
> proxy svr to look for the client certificate of the proxy svr to be
> passed.
This change with 2.6.0 could help you:
*) Merged in enhanced HTTPS Proxy Support which is derived from
Stronghold 2.x and was originally contributed by C2Net over one
year ago. This is still _EXPERIMENTAL_ stuff, so it is entirely
wrapped with SSL_EXPERIMENTAL sections and has to be abled under
built-time with --enable-rule=SSL_EXPERIMENTAL. Then the following
new configuration directives are provided to fine-tune the HTTPS
proxy support:
o SSLProxyProtocol [+-][SSLv2|SSLv3|TLSv1] ...
(enable or disable SSL protocol flavors)
o SSLProxyCipherSuite XXX:...:XXX
(colon-delimited list of permitted SSL ciphers)
o SSLProxyVerify on|off
(whether to verify the remote certificate)
o SSLProxyVerifyDepth N
(maximum certificate verification depth)
o SSLProxyCACertificateFile /path/to/file
(file containing server certificates)
o SSLProxyCACertificatePath /path/to/dir
(directory containing server certificates)
o SSLProxyMachineCertificateFile /path/to/file
(file containing client certificates)
o SSLProxyMachineCertificatePath /path/to/dir
(directory containing client certificates)
This stuff is declared experimental, because it was still _NOT_
tested in depth and is still _UNDOCUMENTED_. So keep in mind what
SSL_EXPERIMENTAL means and use this with care!
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
