I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All

Question

0

Asked: May 20, 20262026-05-20T05:10:11+00:00 2026-05-20T05:10:11+00:00

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All

0

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All URLs have SSLVerifyClient require and this works fine.

I want to make an exception for a specific URL (/ca.crt) so that my clients can download the certificate of the CA that the certificates we issue them are signed with. I try the following:

SSLVerifyClient require

Alias /ca.crt /my/ssl/certs/ca.crt
<Location /ca.crt>
  SSLVerifyClient none
</Location>

My problem is that Apache only seems to want to increase the strength of the SSL client certificate requirement. If I flip the two requirements around, it works as specified. As it is configured above, Apache effectively ignores the SSLVerifyClient none directive.

What’s going on? Is this a bug?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-20T05:10:11+00:00

Ok, it turns out that the answer to this question is in the documentation (as it usually is!)

In per-server context [the SSLVerifyClient directive] applies to
the client authentication process used
in the standard SSL handshake when a
connection is established.

See Apache Docs – SSLVerifyClient

Basically the first SSLVerifyClient directive was in the per-server context. I made an explicit <Directory> declaration for the root directory and put the SSLClientVerify require directive in there. This did the trick.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply