0

We are trying to achieve "SSLVerifyClient none" config only for Android users, is it possible on a given virtualhost ? 

<VirtualHost *:443>
...
SSLVerifyClient optional
BrowserMatch Android SSLVerifyClient none
...
</VirtualHost>

For some reason its not working, we are using Apache 2.2

Mateo
  • 11
  • 4

1 Answers1

0

SSLVerifyClient inside the server context (i.e. global or virtual host) applies to the initial TLS handshake. The User-Agent header required by BrowserMatch is only done after the successful TLS handshake. This means that you are trying to set an option relevant for the TLS handshake after the TLS handshake was already done, which of course will not work.

But given that you've only set SSLVerifyClient to optional it will not fail if no certificate was sent anyway.

Steffen Ullrich
  • 12,227
  • 24
  • 37
  • Ok, thanks, i get it. The thing is that on android chrome a popup is sent to choose the client certificate. If i put "none" that behavour doesn't happen and its what i'm trying to achieve, but i need "optional" for my web services to work on the same virtual host. Is there an alternative without having to create another virtual host ? – Mateo Mar 02 '20 at 13:08
  • @Mateo: You might try to require a client certificate only inside .htacces and thus for a specific path and not globally on the server. In this case a renegotiation will be done after it had figured out the path from the request and in this case it can also figure out the browser. – Steffen Ullrich Mar 02 '20 at 13:13
  • we have Apache connected to a JBoss through mod_cluster, we don't have sites hosted by Apache, it just redirects to JBoss apps. Can we still configure an htaccess file ? – Mateo Mar 02 '20 at 14:27
  • @Mateo: I don't think that you can use htaccess in this case. – Steffen Ullrich Mar 02 '20 at 17:01