[rt-users] Re: rt-mailgate problem with 'SSLVerifyClient require'

Mon Feb 23 05:31:35 EST 2004

Can someone please verify what I've done here - I'm pretty new to this!

I found that if I specify "SSLVerifyClient require" in the base of the VH, it 
overrides any further <Directory> changes... so the answer was to put the 
base "SSLVerifyClient require" also in a <Directory>, like so:

   <Directory "/opt/rt3/share/html">
      SSLVerifyClient require
      SSLVerifyDepth  1
      # Deny all non-SSL requests - guard against bad config:
      SSLRequireSSL
      # Don't allow anything to override the SSL requirements:
      SSLOptions +StrictRequire
   </Directory>

   # Allow access to this dir:
   <Directory "/opt/rt3/share/html/REST/1.0">
      Order Deny,Allow
      Deny from all
      # Allow access from local_hostname - 'localhost' won't work!
      Allow from my_hostname
      SSLVerifyClient none
   </Directory>

I understand now that this works because on a <Directory> basis, an SSL 
re-negotiation is done AFTER the header info is received... as opposed to the 
VH level, the SSL handshake happens BEFORE header info is received, so can't 
get hostname before too late.

Can anyone tell me if there is (or is not!) anything bad, security-wise, about 
what I've done here, as opposed to setting the "SSLVerifyClient require" at 
the VH level?

Many thanks,
Cerion