Making an exception for SSLVerifyClient require

Question

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All URLs have SSLVerifyClient require and this works fine.

I want to make an exception for a specific URL (/ca.crt) so that my clients can download the certificate of the CA that the certificates we issue them are signed with. I try the following:

SSLVerifyClient require

Alias /ca.crt /my/ssl/certs/ca.crt
<Location /ca.crt>
  SSLVerifyClient none
</Location>

My problem is that Apache only seems to want to increase the strength of the SSL client certificate requirement. If I flip the two requirements around, it works as specified. As it is configured above, Apache effectively ignores the SSLVerifyClient none directive.

What's going on? Is this a bug?

Answer 1

Ok, it turns out that the answer to this question is in the documentation (as it usually is!)

In per-server context [the SSLVerifyClient directive] applies to the client authentication process used in the standard SSL handshake when a connection is established.

See Apache Docs - SSLVerifyClient

Basically the first SSLVerifyClient directive was in the per-server context. I made an explicit <Directory> declaration for the root directory and put the SSLClientVerify require directive in there. This did the trick.