httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Yorgason <>
Subject [users@httpd] Making SSLVerifyClient optional using mod_rewrite and Alias?
Date Tue, 16 Sep 2008 02:24:56 GMT
Hi everyone,

Here's the challenge I'm trying to solve.  I'd like to use the 
SSLVerifyClient directive to offer better security to users who know 
about client certificates, but only for users who opt in to the extra 

To make matters more difficult, I'd like to use the same URLs for my 
pages regardless of whether they're using client certificates or not.

How would you accomplish this?

I know the first thing everybody is going to think is "If you want it to 
be optional, just use 'SSLVerifyClient optional_no_ca'", but that runs 
the risk of the user being *asked* for their cert, even if they have no 
idea what a client cert is.  Sure, they can just hit cancel and get in, 
but it looks like a bug to people who don't know better.

I've managed to hack together this little work-around, and it works! 
But I'm not sure it's a good idea:

> RewriteCond %{HTTP_COOKIE} cert=opt
> RewriteRule ^/(.*) /certopt/$1 [NS,PT]
> 	<Location /certopt>
> 	SSLVerifyClient optional_no_ca
> 	SSLOptions +StdEnvVars +ExportCertData
> 	</Location>
> Alias /certopt C:/Projects/website

(In the example I'm using a cookie to change whether or not I'm using 
the extra verification, under the assumption that the final PHP code 
will do proper validation, but I could use any method mod_rewrite supports.)

So basically, I'm using one method of rewriting the URL (mod_rewrite) so 
I can pick up the extra SSL directives, then I'm using a *different* 
method of URL rewriting (alias) to return the URL to its original state.

Only thing is, I'm not 100% certain that this is actually *supposed* to 
work.  Can I rely on this working in future versions?  Is it a terrible 
idea?  Is there a better way to do it?  Am I going to be forced to learn 
the inner workings of mod_ssl and write a patch if I want this feature?



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message