Full_Name: Ari Suutari Version: 2.8.2 OS: FreeBSD 4.3 Submission from: (NULL) (195.197.177.229) I have a SSL site using "SSLOptions +FakeBasicAuth" and "SSLVerifyClient require". Access to static content works OK, but when trying to access pages served by Apache JServ 1.1.2, I get FORBIDDEN error. Dynamic pages (.jsp and .shtml) are configured via ApJServAction directive, which seems to perform internal redirect (via ap_internal_redirect_handler) in apache, causing the request hit mod_ssl second time. During that time, there is already a faked authorization inserted by mod_ssl in headers, which causes the check in ssl_engine_kernnel.c at line 1115 to be hit, returning FORBIDDEN to user. The workaround is to comment the check out. Maybe it could be optional on future releases or there should be some kind of extra check to make sure that mod_ssl is not forbidding an authorization that it has inserted itself. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
