httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Foertsch <>
Subject Re: [users@httpd] Making SSLVerifyClient optional using mod_rewrite and Alias?
Date Tue, 16 Sep 2008 07:14:49 GMT
On Tue 16 Sep 2008, Rick Yorgason wrote:
> Here's the challenge I'm trying to solve.  I'd like to use the
> SSLVerifyClient directive to offer better security to users who know
> about client certificates, but only for users who opt in to the extra
> security.
> To make matters more difficult, I'd like to use the same URLs for my
> pages regardless of whether they're using client certificates or not.
> How would you accomplish this?

Just an idea:

SSL is connection level stuff. Once the SSL negotiation is over all 
those settings can be used by all (sub)requests that use that 
connection. So, configure your URL for SSL but without client 
certification. Then decide somehow whether you want a client 
certificate. If yes, issue a subrequest to a special URL that is 
configured so that it requires a client certificate. That will trigger 
a new SSL handshake where the server requires the certificate. With 
mod_rewrite you can issue a subrequest using %{LA-U:variable}. Which 
URL is used in that subreq I don't know.

I have used that idea a few times but the configuration (subreq etc) was 
done with mod_perl.

There is a major drawback in that approach as with allowing SSL 
renegotiation in general. You cannot deploy large POST requests. 
Normally the SSL handshake is done before any other data is sent. If 
the server suddenly decides it wants to renegotiate and the client has 
sent a large POST request then there is user data on the wire while the 
server expects the SSL handshake.

Now a few remarks to think about. You said you want that for extra 
security. For whom? The SSL connection is not better encrypted if the 
client supplies a certificate. The only thing a that a client 
certificate can achieve is to make sure for the server to whom it 
talks. The client gains nothing.

But in that case using optional_no_ca is complete nonsense. Because if 
the server doesn't have a trusted CA certificate to verify the 
certificate supplied by the client the client can fake any identity it 

Just my €0.02,

Need professional mod_perl support?
Just hire me:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message