We're setting up a site with client authentication and are using apache 1.3 and mod_ssl for that.
We are using the apache alias command to make all requests to a certain url pass through a php script.
The web dir where the script is located is protected by SSLVerifyClient require.
When i address a directory beyond the alias definition (which then is passed through the php script), the client will get a SSL certificate selection box.
When i authenticate with a correct SSL client cert, all is well, everything works as it should work.
When i authenticate with a wrong SSL client cert, i *should* get a forbidden, page not found or something alike.
The problem is the folowing:
In this last example, i DO get the page in front of me, but only the first time, on a refresh/reload of the page i get a forbidden.
It seems that only the initial request with a wrong certificate is allowed to the apache Alias, after that everything is denied.
Here is a small piece of my configuration.
 Alias   /protected/dynamic   /website/docroot/protected/dynamic/index.php
<Directory /website/docroot/protected>
        SSLVerifyClient require
        SSLVerifyDepth  2
Without the alias definition, everything does work as it should. The alias definition is the causing the problem (but we kind of need it).
Am i doing something wrong? does the Alias definition need special treatment within the ssl config?
Tom Duijf

Reply via email to