On 06/01/2014 10:46 PM, Marcel Waldvogel wrote:
Mike,
at the time of the initial SSL handshake, the path part of the URL has
not yet been transmitted. Therefore, there is no way for
Apache/OpenSSL to know that the request is for the directory when the
connection is established. Even though the Apache docs state that
there will be a renegotiation once Apache has determined that the
request is for the directory, the client has already been asked to
provide a cert.
If you can turn your server structure around, it should work for
OCsync. I.e. Make "none" the server/vhost setting and set "optional"
or "require" for the subdirectories relying on client certs. You
should test the impact on the other clients, though. [I don't know
offhand how well renegotiation is supported.]
Thank you so much Marcel! I knew that inverting the logic was an option,
but I didn't want to have an "open" system as default. But now with your
explanation I see that it's an unavoidable technical limitation, not a
configuration issue. Thanks for that!
I may opt for another suggestion I found on some other forum, which is
putting the "verify none" directories on a separate port/vhost. Each
solution obviously has trade-offs...
If both the client and server support SNI (server name indication), I
expect it should work on a virtual host basis. [Does OCsync do SNI?]
I'd love to contribute something back by answering your closing
question... sadly I'm not knowledgable enough yet. Perhaps soon!
Thanks again,
Sincerely,
MikeM
_______________________________________________
User mailing list
[email protected]
http://mailman.owncloud.org/mailman/listinfo/user
