httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume BOULAMERY <>
Subject [users@httpd] Using SSL configuration and SSLVerifyClient Directive
Date Mon, 19 Nov 2012 13:19:28 GMT

I would like to use SSLVerifiyClient in order to do 2-ways authentication.

Here is my situation:

Client < ------- > HAProxy < ------- > Apache (SSL authentication **) < -------
> tomcat/apache (Application server)

I have to authenticate clients before they can access to the application so it's the goal
of (**).

-    Client with no certificate/expired/revoked can't access;

-    Client with valid certificate can access;

1.       First try

I find mod_ssl_error ( which is helpful but based
on apache/mod_ssl versions and I don't want to maintain that.

2.       Second try

If I set "SSLVerifiyClient require" on server/vhost context, everything works fine at the

Problems come when I want to redirect users based on the failed reason (no certificate/expired/revoked)
or to personalize 403 page;

I'm trying to use mod rewrite to do this but it doesn't work, it's always a 403 that I can't
catch with rewrite.

I see that %{SSL_CLIENT_VERIFY}x can give me some informations (NONE/failed:reason/...) but
this information doesn't work with all browser (another search for me is why they always give
NONE reason) ?!

IE6 works fine : - FAILED:certificate has expired [16/Nov/2012:14:56:13 +0100] "GET /index.php
HTTP/1.1" 403 20

IE7 and above give : - NONE [16/Nov/2012:14:56:00 +0100] "GET /index.php HTTP/1.1" 403 20

(Another problem is that Browsers have a custom 403 page)

Am I right or I missed something in my configuration ?

3.       third try

I find that "SSLVerifiyClient optional" is better to do what I want but I don't want to introduce

What I understand is that if client doesn't provide a certificate, he can access to my site,
and if he provides one, this certificate is verify.

So to have the same control as "require", I have to set a strong verification based this times
on rewrite rules

        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS => give the same control as require
and introduce the possibility to filter on the reason ?!


RewriteCond %{SSL:SSL_CLIENT_V_REMAIN} to control expiration and redirect with the proper

Can you confirm that point ?

For now, this last solution is the one I prefer but i'm open to any suggestion that can help

Kind regards,
Guillaume Boulamery

View raw message