SSLVerifyClient not working in Directory context

apache-2.2configurationmod-ssl

According to Apache documentation about SSLVerifyClient, one can define its value in Directory context. However, the following configuration is not working:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ...

    DocumentRoot /var/www/projects

    SSLEngine on
    SSLCipherSuite HIGH:MEDIUM:-SSLv2
    SSLCertificateFile    /etc/ssl/certs/dev.example.com_self.crt
    SSLCertificateKeyFile /etc/ssl/private/dev.example.com_self.key
    SSLVerifyClient none
    SSLVerifyDepth 2

    <Directory "/var/www/projects/projectA/">
      SSLCACertificateFile "/etc/ssl/certs/ACRAIZ-SHA2.crt"
      SSLVerifyClient require
    </Directory>

    ...

  </VirtualHost>
</IfModule>

If I request https://example.com/projectX the value none is set. But if I try https://example.com/projectA Apache does not take into account the require value but keeps none.

Do I have something wrong in my configuration or is it related to Apache parsing rules?

Thanks

Best Answer

Try moving your SSLCACertificateFile out of the <Directory> block - directory is not a valid context for that config.

Is there any other config in your vhost (say, a <Location>) or possibly .htaccess files that could be setting their own SSLVerifyClient none? Those settings could take precedence over the directory block.

Oh, and I'm not sure if this is a requirement for SSLCACertificateFile, but do a full restart (not just a reload) after you get that config in the right place. mod_ssl is finicky about picking up new certificate files in a reload.

Related Topic