Re: Mac users bypass SSL

Mon, 27 Sep 2004 12:01:01 -0700

kloomis wrote: 
At 08:36 AM 9/27/2004 -0400, you wrote:

Ken -
Missing from your description of the problem with Apache is: which operating system are you using?
Once you provide specific information, more help can be provided to you. 


Janet:

Thanks for your reply. I am using Redhat 9.0 and the versions of Apache and SSL provided with it. I noticed that the httpd.conf doesn't include SSL directives, as 1.3 did. I'll try the Apache lists, too. 

I'm surprised that this discussion is still going on, so it's possible
that I have misunderstood the problem.  But with that said, here goes:

Assuming that your server is not listening for non-SSL connections,
your clients are getting SSL connections whether they get prompted
to accept your server's cert or not.  Feel free to prove me wrong by
providing a network trace of in-the-clear http traffic on port 443
and your config files showing your server is not listening for non-
SSL connections.  I've been wrong before.  It doesn't hurt too much.
:-)

On RH9, the regular Apache httpd.conf file is in /etc/httpd.  Module
config files go in /etc/httpd.d, and that is where you will find the
ssl.conf file.  I'm not sure what to make of the fact that you don't
know where the ssl.conf file is.  Without it set up properly, your
server won't know about its certificate and your Windows won't be
getting prompted to accept it.

If you want to restrict access to only authorized clients, give
them each a client certificate.  Then configure Apache to require client
authentication.  That way, only clients who have a cert and a user who
knows its password will be able to connect.  Before launching down that
road, you might want to read up about PKI a bit.  You might want to
leverage it for more than just this one web server and a bit of prior
planning might pay off down the road.

Good luck!

Paul Allen

--
Boeing Phantom Works                   \ Paul L. Allen, (425) 865-3297
Math & Computing Technology              \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to