httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Rook" <Brian.R...@state.co.us>
Subject Re: [users@httpd] client cert authentication problem
Date Thu, 09 Dec 2004 22:25:07 GMT
I am under the impression that Apache doesn't need to trust the
certificate that its passed.  The process for client authentication was
described to me from a peer as such:

1. client requests resources
2. apache redirects to tomcat
3. tomcat responds 401/WWW-AUTHENTICATE/CLIENT-CERT
4. client resends request with his client certificate
5. apache redirects to tomcat
6. tomcat checks certificate against trusted certificates
7. tomcat authenticates client as FDN that is in certificate
8. tomcat checks authorization needed
9. tomcat responds with the resource requested

So that Tomcat does the ssl handshake against its truststore (cacerts).
 I am testing with a self signed certificate.  I have added it to
cacerts, but haven't done anything with apache's trusted CAs.  Are you
saying that Apache needs to trust the certificate as well?  


Brian

>>> jorton@redhat.com 12/9/2004 1:20:27 PM >>>
On Thu, Dec 09, 2004 at 10:34:09AM -0700, Brian Rook wrote:
> Hello,
> 
> I added the following lines to my virtual host
> 
> <VirtualHost dev.childsupport.state.co.us:443>
>   ServerName dev.childsupport.state.co.us
>   SSLEngine on
> *>  SSLVerifyClient require
> *>  SSLVerifyDepth 10

>   SSLCertificateFile conf/ssl.crt/myserver.crt
>   SSLCertificateKeyFile conf/ssl.key/myserver.key
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
>   ProxyRemote  /*  http://myserver:8080/ 
>   ProxyPass / http://myserver:8080/ 
>   ProxyPassReverse / http://myserver:8080/ 
>  </VirtualHost>

You also have to configure the set of trusted CAs for you have issued
client certificates, using SSLCACertificateFile and ...Path - have you
done that?

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile


What does the server error_log say?

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message