From owner-freebsd-questions@FreeBSD.ORG Thu Dec 3 17:27:05 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9159A106566C for ; Thu, 3 Dec 2009 17:27:05 +0000 (UTC) (envelope-from toomas.aas@raad.tartu.ee) Received: from bounce-out.neti.ee (bounce-out.neti.ee [194.126.101.104]) by mx1.freebsd.org (Postfix) with ESMTP id 1FB818FC12 for ; Thu, 3 Dec 2009 17:27:05 +0000 (UTC) Received: from smtp-out.neti.ee (relay211.estpak.ee [88.196.174.211]) by Bounce1.estpak.ee (Postfix) with ESMTP id 2B6F9AFD42 for ; Thu, 3 Dec 2009 19:16:56 +0200 (EET) Received: from localhost (localhost [127.0.0.1]) by relay211.estpak.ee (Postfix) with ESMTP id D96AFA944CD5 for ; Thu, 3 Dec 2009 19:16:54 +0200 (EET) X-Virus-Scanned: amavisd-new at estpak.ee Received: from smtp-out.neti.ee ([127.0.0.1]) by localhost (relay211.estpak.ee [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MalyUFZyizg0 for ; Thu, 3 Dec 2009 19:16:52 +0200 (EET) Received: from NETI-Relayhost1.estpak.ee (neti-relayhost1.estpak.ee [88.196.174.198]) by relay211.estpak.ee (Postfix) with ESMTP id 9D3C8A944C4C for ; Thu, 3 Dec 2009 19:16:52 +0200 (EET) X-SMTP-Auth-NETI-Businessmail: no Received: from carlsberg.kodu.lan (84-50-137-163-dsl.rkv.estpak.ee [84.50.137.163]) by NETI-Relayhost1.estpak.ee (Postfix) with ESMTP id 7C18C862 for ; Thu, 3 Dec 2009 19:16:52 +0200 (EET) Message-ID: <4B17F284.3000602@raad.tartu.ee> Date: Thu, 03 Dec 2009 19:16:52 +0200 From: Toomas Aas User-Agent: Thunderbird 2.0.0.23 (X11/20090917) MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: SA-09-15 vs Apache with client certificates X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 17:27:05 -0000 Hello! We have Apache running on FreeBSD 7.2, where among others a SSL virtual host is defined. One particular subdirectory of this virtual host is configured to require client certificates, using .htaccess file: ------------------------------------------------ SSLVerifyClient Require SSLVerifyDepth 3 SSLOptions +StdEnvVars +ExportCertData ------------------------------------------------ Do I understand the "NOTE WELL" section of FreeBSD-SA-09:15 correctly that if I apply the patch then this functionality will no longer work? The only workaround I can think of is to require client certificates for the entire vhost, but this is unrealistic to implement. Am I missing any other options? -- Toomas Aas ... What are you looking down here for? Read the message!