From 00c75d8161fee8711c44a6e25537703211842d87 Mon Sep 17 00:00:00 2001 From: Ronald MacDonald Date: Wed, 30 May 2018 19:29:43 +0100 Subject: [PATCH 1/3] add ssl_verify_client option to directory --- templates/vhost/_directories.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 07eff7e894..308452b92a 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -220,6 +220,9 @@ <%- if directory['ssl_options'] -%> SSLOptions <%= Array(directory['ssl_options']).join(' ') %> <%- end -%> + <%- if directory['ssl_verify_client'] -%> + SSLVerifyClient <%= directory['ssl_verify_client'] %> + <%- end -%> <%- if directory['suphp'] and @suphp_engine == 'on' -%> suPHP_UserGroup <%= directory['suphp']['user'] %> <%= directory['suphp']['group'] %> <%- end -%> From 36dab06641661301940120ab6ac31ee5ec8ba9db Mon Sep 17 00:00:00 2001 From: Ronald MacDonald Date: Wed, 30 May 2018 20:15:55 +0100 Subject: [PATCH 2/3] Remove requirement for SSLVerifyClient to be specified before SSLCACertificateFile directive is included: SSLVerifyClient could be specified other than at the root of the VHost --- templates/vhost/_ssl.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 7f5767c4cb..358c226913 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -16,8 +16,6 @@ <%- if @ssl_honorcipherorder -%> SSLHonorCipherOrder <%= @ssl_honorcipherorder %> <%- end -%> - <%- if @ssl_verify_client -%> - SSLVerifyClient <%= @ssl_verify_client %> <%- if @ssl_certs_dir && @ssl_certs_dir != '' -%> SSLCACertificatePath "<%= @ssl_certs_dir %>" <%- end -%> @@ -36,6 +34,8 @@ <%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> SSLCARevocationCheck "<%= @ssl_crl_check %>" <%- end -%> + <%- if @ssl_verify_client -%> + SSLVerifyClient <%= @ssl_verify_client %> <%- end -%> <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> From dab7b9004a1f87bd62fa8725bf31100c69eb5350 Mon Sep 17 00:00:00 2001 From: Ronald MacDonald Date: Thu, 8 Nov 2018 00:16:56 +0000 Subject: [PATCH 3/3] add documentation for ssl_verify_client option on directory level --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 3038354a69..7a62cf3548 100755 --- a/README.md +++ b/README.md @@ -5157,6 +5157,27 @@ apache::vhost { 'secure.example.net': } ``` +##### `ssl_verify_client` + +Exactly as with the top-level (VHost) `ssl_verify_client` directive, permits user to set [client certificate verification](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) level for this directory. + +``` puppet +apache::vhost { 'sample.example.net': + … + directories => [ + { path => '/path/to/directory', + ssl_verify_client => 'optional', + }, + ], +} +``` + +SSL renegotiation will occur if a session already exists at a lower verification level. + +Values: 'none', 'optional', 'require', and 'optional_no_ca'. + +Default: `undef`. + ##### `suphp` A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the virtual host declaration, and can only be passed within `directories`.