Hello,
We're setting up a
site with client authentication and are using apache 1.3 and mod_ssl for
that.
We are using the
apache alias command to make all requests to a certain url pass through a php
script.
The web dir where
the script is located is protected by SSLVerifyClient
require.
When i address a
directory beyond the alias definition (which then is passed through the php
script), the client will get a SSL certificate selection
box.
When i authenticate
with a correct SSL client cert, all is well, everything works as it should
work.
When i authenticate
with a wrong SSL client cert, i *should* get a forbidden, page not found or
something alike.
The problem is the
folowing:
In this last
example, i DO get the page in front of me, but only the first time, on a
refresh/reload of the page i get a forbidden.
It seems that only
the initial request with a wrong certificate is allowed to the apache Alias,
after that everything is denied.
Here is a small
piece of my configuration.
Alias /protected/dynamic
/website/docroot/protected/dynamic/index.php
<Directory
/website/docroot/protected>
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
Without the alias
definition, everything does work as it should. The alias definition is the
causing the problem (but we kind of need it).
Am i doing something
wrong? does the Alias definition need special treatment within the ssl
config?
Regards,
Tom
Duijf
Cee-Kay