Re: [users@httpd] Re: Client certificate authentication issues

Mon, 15 Oct 2012 05:15:20 -0700 

On October 15, 2012 6:11 , VP <rpeyy...@gmail.com> wrote:

I am still continuing my search to find other solutions to fix my
issue. I have a question. Lets say even if my SSLVerifyClient in is
Location block called "secure". Would the SSL Renegotiation still
trigger if the user types in direct URL the very first time? Like
calling:

https://www.something.com/secure

Instead of:
https://www.something.com and then clicking on hyperlink on the
homepage which will take the user to https://www.something.com/secure
I am not an expert, but according to what I understand: yes, in the scenario you describe, renegotiation would still be triggered. The reason is that when the client establishes the initial SSL connection, it has not yet sent the HTTP request. The server does not know what URI path the client will be accessing, it only knows that there are some URI paths for which certificates are required and some for which certificates are not required, so it negotiates the connection without client side certificates. (Keep in mind that "SSLVerifyClient" does not work reliably with all clients -- so I'm assuming you have "SSLVerifyClient require" set for the /secure Location). After the SSL session is established, the client sends the HTTP GET request for /secure. The server sees that a client certificate is required, that no client certificate was previously provided (because the SSL session was established with "SSLVerifyClient none"), and the server triggers renegotiation.
The only sure way around this problem that I know about is to specify "SSLVerifyClient require" in the virtual host context or global server context so that it applies to al URI and filesystem paths. The server will then require a client certificate in the initial SSL negotiation for all connections, and renegotiation should never be triggered. 

--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to