Hi ! I use an web framework that can be accessed over three virtual hosts: 1. http://host:80/ insecure 2. https://host:443/ ssl anonymous, no user auth. "SSLVerifyClient none" 3. https://host:444/ only valid users "SSLVerifyClient require" (own CA) Problem: When switching from authenticated to anonymous-ssl (444->443) mod_ssl keeps the User-Certificate for some time. IMHO this is a bug, or why is there an option "SSLVerifyClient optional" if "SSLVerifyClient none" can't drop/ignore presented Certs ??? I observed this behavior with IE 5.01, but it's not a client issue. If "SSLVerifyClient none" is specified, it's simply a bug if the following perl expression evaluates to true in some cases: $ENV{SSL_CLIENT_VERIFY} eq 'SUCCESS' and it definitely evaluates to true here "sometimes" on port 443. "SSLVerifyClient none" should IMHO actively reject Client Certificates independent of other SSL options. This is not a "heavy" security bug, but very annoying if auth-users want to go back into "anonymous" SSL areas. (Ok, as a quick and dirty fix I could check the port first and "fix" the SSL_CLIENT_VERIFY variable manually, but this is really an ugly hack.) BTW: Hmm, ever noted that a "make install" within apache overwrites the existing server key(!) under some conditions by a file with a content like: "THIS FILE SHOULD BE REPLACED BY A REAL SERVER KEY" I suggest at least a better text: "THIS FILE HAS REPLACED YOUR REAL SERVER KEY" :) My config (Linux 2.4.0-test10): Apache/1.3.14 (Unix) PHP/4.0.3pl1 mod_perl/1.24_01 mod_ssl/2.7.1 OpenSSL/0.9.6 -- ciao - Stefan " export PS1="((((((((((((rms))))))))))))# " " Stefan Traby Linux/ia32 fax: +43-3133-6107-9 Mitterlasznitzstr. 13 Linux/alpha phone: +43-3133-6107-2 8302 Nestelbach Linux/sparc http://www.hello-penguin.com Austria mailto:[EMAIL PROTECTED] Europe mailto:[EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
