Hello.
I have successfuly done Client Authentication using client certificates with
apache-openssl-modssl.
SSLVerifyClient none
<Directory /usr/local/apache/htdocs/secure/area>
SSLVerifyClient require
SSLVerifyDepth 5
#SSLCACertificateFile conf/ssl.crt/ca.crt
#SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
%{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
</Directory>
The definition of SSLCACertificateFile and SSLCACertificatePath are above in
the httpd.conf file.
When i try to connect to https:/www.xxx.xx/secure the server asks for the
certificate, validates it and show index.html in the secure directory.
Everything seem to work fine.
But when i do a http://www.xxx.xx/secure I can still see the index.html.
According to my understanding the index.html in the secure directory should not
be shown. Can anyone help me with this? Is there anything more i should do to
prevent access from http on the secure directory?
Thanx
Haldor Husby.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
