Per-directory CA in httpd 2.4 (mod_ssl)

Question

was support for per-directory CA files removed in httpd 2.4?

<Location /directory>
Require valid-user

SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile /path/to/ca.crt
</Location>

This snippet works under httpd 2.2.29, but isn't valid for httpd 2.4.10 because of "Your SSL library does not have support for per-directory CA". I sadly couldn't find any evidence there was any change (no mention in release notes, documentation for mod_ssl is the same), so maybe it's bug?

Compiled on RHEL, "./configure --with-included-apr --enable-so --with-crypto --enable-ssl", openssl 1.0.1e (16.el6_5.15)

Answer 1

It happens also to me; with Apache 2.2.25 the SSLCACertificateFile directive works correctly under <location> tag.

However seems that in 2.4 does not. After some tries I can do it work putting the SSLCACertificateFile inside <VirtualHost> instead of <Location>.

So in Apache 2.4 use:

<VirtualHost localhost:443>
  SSLCACertificateFile /path/to/ca.crt
  <Location /directory>
  ...
  </Location>
</VirtualHost>

Instead of:

<VirtualHost localhost:443>
  ...
  <Location /directory>
    SSLCACertificateFile /path/to/ca.crt
  ...
  </Location>
</VirtualHost>

Hope it helps,

Answer 2

It appears to be expected behaviour according to RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179716