httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shakti <corewa...@ea-world.com>
Subject [users@httpd] SSL and Basic Authentication
Date Tue, 15 Apr 2008 17:56:31 GMT
Hi,

I am new to the apache and need help with ssl authentication. I have 
compiled apache2 on Mac OS X. Configured it with basic authentication 
and that worked fine. I enabled ssl and that worked fine. Then I 
generated certificates for the server and clients, installed 
certificates in client's browsers and that worked OK too.

Then I tried to combine certificate authentication with basic 
authentication and that is were I run into a problem. I am not sure if 
that is possible to do? When I do that I get normal prompt form the 
server to accept the certificate, them the user name and password 
prompt. I type the user name and password, but then it comes again and 
again and prompts me for the user name and password over and over again.

When I do not use client certificate, then typing the user name and 
password works fine. Here is the section in httpd-ssl.conf where I am 
experimenting

<Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks MultiViews
    SSLVerifyClient require
    SSLVerifyDepth  1
    SSLCACertificatePath "conf/certs"
    SSLCACertificateFile "conf/certs/cwsca.crt"

    AuthType Basic
    AuthName "CoreWafer"
    AuthUserFile /usr/local/apache2/conf/passwd/passwords
    AuthGroupFile /usr/local/apache2/conf/passwd/groups
    Require group CoreWafer

    Order allow,deny
    Allow from all
</Directory>

If I disable:

    SSLVerifyClient require
    SSLVerifyDepth  1
    SSLCACertificatePath "conf/certs"
    SSLCACertificateFile "conf/certs/cwsca.crt"

then prompting for user name and password works fine. If I disable:

    AuthType Basic
    AuthName "CoreWafer"
    AuthUserFile /usr/local/apache2/conf/passwd/passwords
    AuthGroupFile /usr/local/apache2/conf/passwd/groups
    Require group CoreWafer

then using the client certificate works fine. It is when I try to use 
both, that is the client certificate and the password when I get into 
trouble.

I came a cross kx509 Web Authentication at:

http://www.dice.inf.ed.ac.uk/groups/services/web/docs/kx509.html

that appears to be doing exactly what I wanted, which is, first use the 
client certificate to open ssl channel and then prompt for user name and 
password. However, they are using module mod_auth_ssl.c that I was not 
able to track down anywhere on the Internet. Also it appears that that 
module maybe for Apache 1.3 and not for Apache 2.

Any ideas/comments can this be done and how?

Thank you very much,
Shakti





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message