Changeset 1483


Ignore:
Timestamp:
Feb 22, 2010, 3:09:49 AM (8 years ago)
Author:
geofft
Message:
__scripts/needcerts: Add support for working around Safari

Safari on Mac OS X (or more properly, CFNetwork and the rest of the SSL
stack) doesn't properly support SSLVerifyClient Optional, which is our
default for :444. In particular, if you don't have an identity
preference set, only SSLVerifyClient Require will trigger the dialog to
set an identity preference and present a certificate to the site:

http://lists.apple.com/archives/apple-cdsa/2009/Apr/msg00041.html

We can work around this by checking for the Safari user-agent in
/__scripts/needcerts and renegotiating SSLVerifyclient Require. Forcing
the Require behavior on Safari users that reach this page is reasonable
because this page is only (supported to be) reached as an ErrorDocument
401; if you're intentionally using AuthOptional on to take advantage of
the optional authentication, you'll never trigger the 401 error.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf

    r1264 r1483  
    2929    RewriteRule ^ https://%{SERVER_NAME}:444%1 [L,R]
    3030
     31    RewriteCond %{HTTP_USER_AGENT} Mac\ OS\ X.*AppleWebKit
     32    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.*) /__scripts/safarihack$1 [L]
     33
    3134    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.+) $1 [L]
    3235    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts /__scripts/unauthorized.html [L]
    3336</Location>
     37
     38<Location /__scripts/safarihack>
     39    SSLVerifyClient require
     40    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack(.+) $1 [L]
     41    RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack /__scripts/unauthorized.html [L]
     42</Location>
Note: See TracChangeset for help on using the changeset viewer.