talk about SSLVerifyClient required vs. optional

author Evan Broder <broder@mit.edu>

Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)

committer sipb-www <sipb-www@real-mccoy.mit.edu>

Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)
author Evan Broder <broder@mit.edu>
Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)
committer sipb-www <sipb-www@real-mccoy.mit.edu>
Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)
diff --git a/doc/apache-client-certs.mdwn b/doc/apache-client-certs.mdwn

index da598d5f3524087d49bf4e4fd33b676b56551266..841e103c57f0a9040cdf29fae418b76a855cbc31 100644 (file)
--- a/doc/apache-client-certs.mdwn
+++ b/doc/apache-client-certs.mdwn
@@ -20,12 +20,14 @@ You'll also need a working AFS client and the Athena client certificate CA. Both
  
  In addition to the standard Apache directives needed to enable SSL, you'll need a few more before the Apache modules work as they do on scripts. Add the following directives to each vhost that will be using SSL client-side certificate authentication:
  
-    SSLVerifyClient require
+    SSLCACertificateFile /etc/ssl/clientCAs.pem
      <Location />
          AuthSSLCertVar SSL_CLIENT_S_DN_Email
          AuthSSLCertStripSuffix "@MIT.EDU"
      </Location>
  
+You also need to require certificate authentication. You can either use `SSLVerifyClient required` or `SSLVerifyClient optional`. `SSLVerifyClient required` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`.
+
  You'll also need to enable the Apache modules.
  
      # a2enmod auth_sslcert
author	Evan Broder <broder@mit.edu>
	Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)
committer	sipb-www <sipb-www@real-mccoy.mit.edu>
	Wed, 6 Jan 2010 23:10:14 +0000 (18:10 -0500)