X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/cbb5b898d98d39079a57acfb9f547f6655a941f7..4b45457ad4f3db1590fcc93f02fdaf73cfb30bf9:/doc/apache-client-certs.mdwn diff --git a/doc/apache-client-certs.mdwn b/doc/apache-client-certs.mdwn index d4a0642..034bcfe 100644 --- a/doc/apache-client-certs.mdwn +++ b/doc/apache-client-certs.mdwn @@ -4,11 +4,11 @@ While it's certainly possible to configure client-side certificate authenticatio ## Installing the modules -If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases in a PPA. +If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases (through 11.x) in a PPA. The [PPA homepage](https://launchpad.net/~broder/+archive/scripts-http-mods) includes instructions on how to install the PPA on your system, but if you're on Ubuntu Karmic or later, you can just run: - # add-apt-repository ppa:broder/scripts-http-mods + # add-apt-repository ppa:broder/scripts-http-mods ; apt-get update Once you've installed the PPA, you want to install the libapache2-mod-auth-sslcert and libapache2-mod-authz-afsgroup packages. @@ -26,7 +26,7 @@ In addition to the standard Apache directives needed to enable SSL, you'll need AuthSSLCertStripSuffix "@MIT.EDU" -You also need to require certificate authentication. You can either use `SSLVerifyClient required` or `SSLVerifyClient optional`. `SSLVerifyClient required` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`. +You also need to require certificate authentication. You can either use `SSLVerifyClient require` or `SSLVerifyClient optional`. `SSLVerifyClient require` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`. You'll also need to enable the Apache modules.