On October 1, 2012 14:58 , Tom Browder <[email protected]> wrote:
On Mon, Oct 1, 2012 at 10:53 AM, Mark Montague <[email protected]> wrote:
On October 1, 2012 9:17 , Tom Browder <[email protected]> wrote:
Inside the restricted area I have:
SSLVerifyClient require
I have found that the configuration doesn't restrict CGI programs at
all as I have them placed
...
Then something weird is going on. "SSLVerifyClient require" should prevent
any client from accessing the CGI programs unless it has a valid
certificate.
But, Mark, does that apply if the CGI programs themselves are NOT
located in the restricted area?
No, but then you've solved the problem:
1. You have URI paths beneath which you require clients to present
certificates in order to not get a HTTP 403 response.
2. You have CGIs, and you find that clients do not need to present
certificates when they make requests for the CGI.
3. You say that the CGIs from 2 are not in the area in 1.
4. You observe that the CGIs from 2 are not protected by the
requirements for 1. This observation is what is expected, due to 3.
The solution -- as far as Apache HTTP Server is concerned -- is to move
the CGIs into the area in 1, or, alternatively, configure area in 2 to
also require clients to present SSL certificates.
If you prefer, you can make client certificates optional for the area in
which you have the CGIs (while still requiring client certificates for
area 1), but then you'll need to modify each one of your CGIs to check
to see whether a client presented a certificate for a given request,
and, based on that plus other details of the request, have each CGI make
an authorization decision regarding whether to respond with the
requested content or whether to respond with an HTTP 403 "Forbidden" error.
If this doesn't answer your question, then I'm not clear on what you are
actually asking, and maybe someone else can respond better. Or you
could try asking your question in a different way.
--
Mark Montague
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
