httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mdn teo" <mdn...@gmail.com>
Subject [users@httpd] Authentication with mod_ssl and FakeBasicAuth
Date Wed, 13 Aug 2008 16:39:20 GMT
Hi!

Following this howto: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html i
setup authentication to my secure area, I used a configuration like the
"howto", I wrote my subjectDN in the "httpd.passwd" with the defined
password, and everything works fine.

httpd.conf
---------------------------------------------------------------------------------
SSLVerifyClient      none
<Directory /usr/local/apache2/htdocs/secure/area>
SSLVerifyClient      require
SSLVerifyDepth       5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions           +FakeBasicAuth
SSLRequireSSL
AuthName             "Snake Oil Authentication"
AuthType             Basic
AuthUserFile         /usr/local/apache2/conf/httpd.passwd
require              valid-user
</Directory>
 ---------------------------------------------------------------------------------

httpd.passwd
---------------------------------------------------------------------------------
 /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
<my subject DN >:xxj31ZMTZzkVA
---------------------------------------------------------------------------------

But I have one question.
If my SubjectDN is present in the file "httpd.passwd", access is granted,
while if the my SubjectDN is not in the "httpd.passwd" file, I am prompted
for username and password, as the browser gets a 401 http-status.
I think this is misleading for users, as they are accessing the area with
their certificate, and whether somebody has been disabled (i.e. deleted form
the httpd.passwd), or has no rights for a defined area, he gets a
user-password prompt and the "authorization required" page after "n"
attempts, depending on the browser configuration. I know the disabled user
won't have access anyway, but I am wondering if there is a way to skip this
or to provide a 403 http-status instead of 401.

Mime
View raw message