Assuming that your server is not listening for non-SSL connections,
your clients are getting SSL connections whether they get prompted
to accept your server's cert or not.
The server is listening only to port 443 connections.
Feel free to prove me wrong by
providing a network trace of in-the-clear http traffic on port 443
and your config files showing your server is not listening for non-
SSL connections.
I don't know how to do a network trace, unless you mean http log files. What I can tell you is that a user has connected to the data thru 443 without successfully accepting the certificate (IE on the Mac's won't accept a self signed cert) and without there being a padlock icon present in her browser.
I'm not sure what to make of the fact that you don't
know where the ssl.conf file is.
I set it up a long time ago.
If you want to restrict access to only authorized clients, give
them each a client certificate. Then configure Apache to require client
authentication.
Restricting to authorized users is not the problem. Apache is handling that. The problem is making sure each client is only getting encrypted transmissions.
Good luck!
Thanks. Thanks also for pointing me to the ssl config file. I'm going there now.
Ken
