Thanks for all your help, Mike, Evan, and Jonathan. It's working!<br><br>Best,<br>~Josh<br><br><div><span class="gmail_quote">On 4/6/07, <b class="gmail_sendername">Mike Moretti</b> <<a href="mailto:mmoretti@mit.edu">
mmoretti@mit.edu</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br><br>In addition to what Jon Reed mentioned, you also need these:
<br><br> SSLRequireSSL<br> SSLVerifyDepth 10<br>and either<br> SSLVerifyClient require<br>or<br> SSLVerifyClient optional<br><br>-m<br><br><br>Josh Aresty wrote:<br>> Hi all,<br>> I was wondering if anyone here can point me to a good reference on how
<br>> to configure Apache, OpenSSL, and client certificates at MIT.<br>><br>> I've been to <a href="http://web.mit.edu/apache-ssl/www/README.certificate">http://web.mit.edu/apache-ssl/www/README.certificate</a>
and to<br>> <a href="http://nazzim.mit.edu/developers/article.php?story=20051221094844208">http://nazzim.mit.edu/developers/article.php?story=20051221094844208</a><br>><br>> and while I have been able to get mod_ssl up and running using the OS X
<br>> server certificates interface, phpinfo() still does not show the<br>> SSL_DN_Client_Email or other SSL variables I would expect to see. I<br>> don't completely understand how certificates work, and I prefer to use
<br>> the OS X server interfaces for Apache because OS X server has a quirky<br>> way of choosing how to organize sites (and that makes me nervous to move<br>> things around too much).<br>><br>> The section of the apache configuration that seems to be concerned with
<br>> this says:<br>><br>> <IfModule mod_ssl.c><br>> SSLEngine On<br>> SSLLog "/var/log/httpd/ssl_engine_log"<br>> SSLCertificateFile
<br>> "/System/Library/OpenSSL/certs/dev-llarc.pem"<br>> SSLCertificateKeyFile<br>> "/System/Library/OpenSSL/private/server_key.pem"<br>> SSLCipherSuite<br>> "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL"
<br>> SSLCACertificateFile<br>> "/System/Library/OpenSSL/certs/mitca.crt"<br>> SSLCertificateChainFile<br>> "/System/Library/OpenSSL/certs/mitca.crt"<br>> </IfModule>
<br>><br>> Can anyone offer me insight? The dev-llarc file is the file I received<br>> after generating the request, and the server_key is the other file that<br>> was generated before (and I did not send it to
<a href="mailto:mitcert@mit.edu">mitcert@mit.edu</a><br>> <mailto:<a href="mailto:mitcert@mit.edu">mitcert@mit.edu</a>>). mitca.crt is from the MIT certificates page.<br>><br>> I would also appreciate chatting on the phone, or in person if you have
<br>> the time. Thanks.<br>><br>> Best,<br>> ~Joshua Aresty<br>> MIT LLARC Programmer/Analyst<br>> 3-4598<br>><br><br>--<br>Mike Moretti<br>IDD - Technical Services<br>SAIS - IS&T - MIT<br>617-253-1308
<br><a href="mailto:mmoretti@mit.edu">mmoretti@mit.edu</a><br></blockquote></div><br>