I've tried this both with the stock (fully patched) RedHat 7.2, and with
a fresh-built Apache 1.3.26 + modssl-2.8.10-1.3.26 + openssl-0.9.6g.
With the attached config snippet for a "private" directory, based on the
samples from the documentation, the webserver first asks me for my
certificate, successfully validates it, and *then* asks me for a
username/password. I know the certificate is successfully authenticated,
as I've modified my CustomLog entry to log the values of
SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY, and SSL_CIPHER_USEKEYSIZE.
If I comment out the four lines for network-based access control:
#Order deny,allow
#Deny from all
#Allow from 127.0.0.1
#Allow from 199.85.99.0/24
Then I get my expected behaviour, which is:
- if I give a certificate, I get access
- if I don't give a certificate, I am asked for username/password
Am I being dense about combining access control methods, or is there a
bug somewhere?
Thanks in advance,
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
<Directory /var/www/html/private>
# any "intranet' access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally, allow client certs as an alternative to basic auth.
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions -StrictRequire +OptRenegotiate +StdEnvVars
SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_VERIFY} eq "SUCCESS"
)
# Allow any of certs, network access or basic auth
Satisfy any
# Network Access Control
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 199.85.99.0/24
# HTTP Basic Authentication
AuthType Basic
AuthName "CFRQ users"
AuthUserFile /etc/httpd/conf/passwd
Require valid-user
</Directory>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
