SSLVerifyClient optional with location-based exceptions
Posted
by
Ian Dunn
on Server Fault
See other posts from Server Fault
or by Ian Dunn
Published on 2012-11-23T21:30:48Z
Indexed on
2012/11/23
23:05 UTC
Read the original article
Hit count: 258
I have a site that requires authentication in order to access certain directories, but not others. (The "directories" are really just rewrite rules that all pass through /index.php)
In order to authenticate, the user can either login with a standard username/password, or submit a client-side x509 certificate.
So, Apache's vhost conf looks something like this:
SSLCACertificateFile /etc/pki/CA/certs/redacted-ca.crt
SSLOptions +ExportCertData +StdEnvVars
SSLVerifyClient none
SSLVerifyDepth 1
<LocationMatch "/(foo-one|foo-two|foo-three)">
SSLVerifyClient optional
</LocationMatch>
That works fine, but then large file uploads fail because of the behavior documented in bug 12355.
The workaround for that is to set SSLVerifyClient require (or optional) as the default, so now the conf looks like this
SSLCACertificateFile /etc/pki/CA/certs/redacted-ca.crt
SSLOptions +ExportCertData +StdEnvVars
SSLVerifyClient optional
SSLVerifyDepth 1
<LocationMatch "/(bar-one|bar-two|bar-three)">
SSLVerifyClient none
</LocationMatch>
That fixes the upload problem, but the SSLVerifyClient none doesn't work for bar-one, bar-two, etc. Those directories are still prompted to present a certificate.
Additionally, I also need the root URL to accessible without the user being prompted for a certificate. I'm afraid that will cancel out the workaround, though.
© Server Fault or respective owner
