According to Apache documentation about SSLVerifyClient, one can define its value in Directory context. However, the following configuration is not working:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
...
DocumentRoot /var/www/projects
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:-SSLv2
SSLCertificateFile /etc/ssl/certs/dev.example.com_self.crt
SSLCertificateKeyFile /etc/ssl/private/dev.example.com_self.key
SSLVerifyClient none
SSLVerifyDepth 2
<Directory "/var/www/projects/projectA/">
SSLCACertificateFile "/etc/ssl/certs/ACRAIZ-SHA2.crt"
SSLVerifyClient require
</Directory>
...
</VirtualHost>
</IfModule>
If I request https://example.com/projectX the value none
is set. But if I try https://example.com/projectA Apache does not take into account the require
value but keeps none
.
Do I have something wrong in my configuration or is it related to Apache parsing rules?
Thanks
Best Answer
Try moving your
SSLCACertificateFile
out of the<Directory>
block - directory is not a valid context for that config.Is there any other config in your vhost (say, a
<Location>
) or possibly.htaccess
files that could be setting their ownSSLVerifyClient none
? Those settings could take precedence over the directory block.Oh, and I'm not sure if this is a requirement for
SSLCACertificateFile
, but do a full restart (not just a reload) after you get that config in the right place. mod_ssl is finicky about picking up new certificate files in a reload.