Commit d40cfb93 authored by Leigh B Stoller's avatar Leigh B Stoller

Protogeni change; client verification is now marked "optional" in the

vserver so that we avoid SSL renegotiation that is triggered when
doing it on a per-directory basis.

Also add ExportCertData so that the entire client certificate it
passed along in the ENV; we need those to get the URNs out of the
altname field.
parent 4561b50a
......@@ -1328,8 +1328,8 @@ CustomLog @prefix@/log/apache_ssl_request_log \
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
# Default this to none so that regular web server requests pass.
SSLVerifyClient none
# Must use optional to avoid renegotiation, which is broken.
SSLVerifyClient optional
# Reject the unencrypted certs that all users get.
<Location />
......@@ -1344,18 +1344,16 @@ ScriptAlias /protogeni/xmlrpc/ses @prefix@/protogeni/xmlrpc/protogeni-ses.pl
SSLRequireSSL
Order deny,allow
allow from all
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
<Directory "@prefix@/protogeni/">
SSLRequireSSL
Order deny,allow
allow from all
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars +ExportCertData
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
SetEnv USER "nobody"
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
</IfDefine>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment