httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Conner <...@conman.org>
Subject Re: [users@httpd] mod_ssl Client authentication question
Date Tue, 20 Jan 2009 07:30:58 GMT
It was thus said that the Great Brian Mearns once stated:
> I just want to double check some things because I implement ssl client
> auth on my server, to make sure I really understand what I'm doing:
> 
> First, if I use SSLRequire to check various fields in a client's
> certificate, is it implied that the certificate has already been
> verified as signed by one of the CA's I've defined in
> SSLCACertificateFile, for instance? In other words, this isn't just
> checking that someone made a certificate with the correct DN values,
> right? It's also verifying implicitly that it comes from an approved
> CA? I assume the same is true if I use FakeBasicAuth?
> 
> Second, I was trying to test the above question by creating
> self-signed certs, adding them to my browser, and making sure the
> server would not authenticate them. But when I did, my browser
> (Firefox) didn't even provide them as an option for me to use. I know
> this isn't strictly an apache question, but I think this is probably
> because of the "list of acceptable Certificate Authority names" sent
> to the browser by my server...does that sound correct? If this is the
> case, is there a way to get my server to tell the browser than any
> certificate is fine, but still only actually authenticate those signed
> by the appropriate CA's?

  I've actually set this up and got it working.  I used TinyCA [1] to set up
a Certificate Authority to sign certificates.  I then created a certificate
for the server [2] and one for myself.  I then added the CA certificate as a
trusted authority in my browser (Firefox,
Preferences->Advanced->Encryption->View Certificates->Authorities, then
imported the CA certificate) so I wouldn't get a warning when visiting my
site.  

  I then added the CA certificate to the file specified by the Apache
directive SSLCACertificateFile, so Apache would accept certificates signed
by my Certificate Authority.  

  Next up, installing the certificate for ME into my browser (exported as
PKCS#12) (Prefs->Advanced->Encryption->View Certificates->Your Certificates,
then import).  I then configured my secure site to require a certificate for
a directory---configuration below.

<VirtualHost 66.252.224.242:443>
  ServerName		secure.conman.org
  ServerAdmin		sean@conman.org
  DocumentRoot		/home/spc/web/sites/secure.conman.org/s-htdocs
  ScriptAlias		/cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
  CustomLog		/home/spc/web/logs/s-secure.conman.org sslcombined
  UseCanonicalName	on

  SSLEngine		on
  SSLCipherSuite	ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
  SSLProtocol		all -SSLv2
  SSLCertificateFile	/home/spc/web/sites/secure.conman.org/server.crt
  SSLCertificateKeyFile	/home/spc/web/sites/secure.conman.org/server.key

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
  	SSLOptions	+StdEnvVars
  </Files>

  <Directory /home/spc/web/sites/secure.conman.org/cgi-bin>
  	Options		-Indexes
  	SSLOptions	+StdEnvVars
  </Directory>

  <Directory /home/spc/web/sites/secure.conman.org/s-htdocs>
    Options		All
    AllowOverride	None
  </Directory>

  <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
    SSLRequireSSL
    SSLRequire	%{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories"	\
            and %{SSL_CLIENT_S_DN_OU} eq "Clients"
    SSLVerifyClient	require
    SSLVerifyDepth	10
  </Directory>

  SetEnvIf	User-Agent	".*MSIE.*" 		\
		nokeepalive ssl-unclean-shutdown	\
		downgrade-1.0 force-response-1.0

</VirtualHost>

  I pulled the various directives from other files and placed them in one
place, just to help me figure out what was going on.  Hope this helps some.

  -spc (TinyCA made this all the much easier to deal with)

[1]	http://tinyca.sm-zone.net/

[2]	http://secure.conman.org/ and https://secure.conman.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message