## Installing the modules
-If you're using Ubuntu, [Evan Broder](http://ebroder.net) has packaged the scripts.mit.edu modules for all current Ubuntu releases in a PPA: https://launchpad.net/~broder/+archive/scripts-http-mods.
+If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases in a PPA.
-The PPA homepage includes instructions on how to install the PPA on your system.
+The [PPA homepage](https://launchpad.net/~broder/+archive/scripts-http-mods) includes instructions on how to install the PPA on your system, but if you're on Ubuntu Karmic or later, you can just run:
# add-apt-repository ppa:broder/scripts-http-mods
In addition to the standard Apache directives needed to enable SSL, you'll need a few more before the Apache modules work as they do on scripts. Add the following directives to each vhost that will be using SSL client-side certificate authentication:
- SSLVerifyClient require
- <Location />
+ SSLCACertificateFile /etc/ssl/clientCAs.pem
+ <Location />
AuthSSLCertVar SSL_CLIENT_S_DN_Email
AuthSSLCertStripSuffix "@MIT.EDU"
- </Location>
+ </Location>
+
+You also need to require certificate authentication. You can either use `SSLVerifyClient required` or `SSLVerifyClient optional`. `SSLVerifyClient required` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`.
You'll also need to enable the Apache modules.