Mike, at the time of the initial SSL handshake, the path part of the URL has not yet been transmitted. Therefore, there is no way for Apache/OpenSSL to know that the request is for the directory when the connection is established. Even though the Apache docs state that there will be a renegotiation once Apache has determined that the request is for the directory, the client has already been asked to provide a cert.
If you can turn your server structure around, it should work for OCsync. I.e. Make "none" the server/vhost setting and set "optional" or "require" for the subdirectories relying on client certs. You should test the impact on the other clients, though. [I don't know offhand how well renegotiation is supported.] If both the client and server support SNI (server name indication), I expect it should work on a virtual host basis. [Does OCsync do SNI?] -Marcel > Am 02.06.2014 um 04:10 schrieb Mike Morris <[email protected]>: > > Hi all, > > I've just set up a dev instance of owncloud and it looks great, so I want to > move to Production, but am having problems related to Client Certs. I *do* > know that client certs are *not* supported - I'm trying to disable them for > the /owncloud/ directory, without success. > > I've done lots of research and know this is a common issue; I think I > understand most of the factors involved, and I know that this is an apache > fix, but I need to understand what oc is doing to fix it, I think :-) > > "SSLVerifyClient require" is enabled at the DocumentRoot. A handful of > directories are made public by "SSLVerifyClient none" inside of a Directory > or Location block. This all works fine. > > Since I know that the OCsync will not work with client certs enabled, I want > to disable them in the OC directory as well. So, of course I did this: > <Location /owncloud/> > SSLVerifyClient none > </Location> > which does not "work" (nor does <Directory>)... at least not completely. > After much testing I realized that I *can* retrieve static docs from that > directory, without presenting a client cert (e.g. "AUTHORS" and > "COPYING-AGPL", or any simple PHP file I create there). > > However, trying to load the actual OC app always requests a cert. I cannot > figure out why, since: > Tracing HTTP requests shows no requests for docs outside the /owncloud/ URL > namespace > So my question is, what is OC doing that is triggering the request for a > cert? No request for a doc in or under /owncloud/ should cause it (as far as > I can tell)... There must be an internal rewrite directive or something > causing this??? > > Any guidance much appreciated!!! > > MikeM > > _______________________________________________ > User mailing list > [email protected] > http://mailman.owncloud.org/mailman/listinfo/user
_______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
