On 3/13/2013 1:50 AM, Felix Rubio Dalmau wrote: > Hi, > > I've secured my apache by using SSL certificates (self-signed CA) for both > server > and clients, and I require them to the clients in order to connect. However, > I > have found these entries in ssl_access.log: > > 110.5.109.100 - - [03/Mar/2013:16:15:56 +0100] "GET /" 400 458 "-" "-" > 93.174.88.31 - - [07/Mar/2013:15:25:54 +0100] "GET /" 400 458 "-" "-" > > If those clients do not have the certificates (I'm sure of that), and the > negotiation is supposed to be encrypted because of the SSL, how is possible > that > they have reached the point to do a "GET /"? Am I missing something? I > thought > that SSL negotiation was performed before the requesting of any page :-s > > Regards > > Felix >
Hello, Felix; What you have probably configured is server-side SSL only (can confirm if you post some config snippets). This would mean there are no requirements at the transport layer for the client to have a certificate. If you want to require the client to have a certificate, you can use these directives: SSLVerifyClient require SSLCACertificateFile /path/to/your/CA/cert.pem The word of caution here is that all users will have to present a client certificate - which would mean they have to have them available to their browsers or they will never be able to make a request. -- Daniel Ruggeri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
