SSLVerifyClient optional with location-based exceptions
- by Ian Dunn
I have a site that requires authentication in order to access certain directories, but not others. (The "directories" are really just rewrite rules that all pass through /index.php)
In order to authenticate, the user can either login with a standard username/password, or submit a client-side x509 certificate.
So, Apache's vhost conf looks something like this:
SSLCACertificateFile /etc/pki/CA/certs/redacted-ca.crt
SSLOptions +ExportCertData +StdEnvVars
SSLVerifyClient none
SSLVerifyDepth 1
<LocationMatch "/(foo-one|foo-two|foo-three)">
SSLVerifyClient optional
</LocationMatch>
That works fine, but then large file uploads fail because of the behavior documented in bug 12355.
The workaround for that is to set SSLVerifyClient require (or optional) as the default, so now the conf looks like this
SSLCACertificateFile /etc/pki/CA/certs/redacted-ca.crt
SSLOptions +ExportCertData +StdEnvVars
SSLVerifyClient optional
SSLVerifyDepth 1
<LocationMatch "/(bar-one|bar-two|bar-three)">
SSLVerifyClient none
</LocationMatch>
That fixes the upload problem, but the SSLVerifyClient none doesn't work for bar-one, bar-two, etc. Those directories are still prompted to present a certificate.
Additionally, I also need the root URL to accessible without the user being prompted for a certificate. I'm afraid that will cancel out the workaround, though.