SSLVerifyClient directive in location make post to Web application impossible
Agreed - sorry, but this is not yet implemented. Mechanically, the server must slurp up the whole POST body, then talk the client into renegotating. connection: upgrade tls would help enormously, but 5 years later we are only now implementing it - and it will take some time for any clients to jump on board.
So I guess Apache 2.0 just can't be used to implement any web services who want to do SSL-based authentication? Here's the scenario where getting the SSL info on a post is absolutely critical: Say I want to make a web service application which clients can call to check on their order status (e.g., processing, shipped, etc.). I have a MySQL database which stores all the customer data (IDs, SSL public keys, etc.). Clients call an XML-RPC method to determine their order status. I want to be able to look up their customer ID based on the SSL cert they're using so I can issue the appropriate response. Pretty simple, right? XML-RPC (and SOAP) are both POST-based. That means if the client calls the XML-RPC method, I have no way of getting at the SSL cert that the client is using, and therefore, cannot validate it with the one I have in the database. This kind of authentication isn't necessarily all that commonplace in a user-driven application, but is quite necessary for use in the world of web services. Is there a workaround in the mean time? Does this work in 1.x?
*** Bug 24725 has been marked as a duplicate of this bug. ***
This issue is being tracked by bug 12355; reopening to mark as duplicate.
*** This bug has been marked as a duplicate of 12355 ***