httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject Re: [users@httpd] mod_ssl Client authentication question
Date Tue, 20 Jan 2009 13:21:23 GMT
On Tue, Jan 20, 2009 at 2:30 AM, Sean Conner <> wrote:
> It was thus said that the Great Brian Mearns once stated:
>> I just want to double check some things because I implement ssl client
>> auth on my server, to make sure I really understand what I'm doing:
>> First, if I use SSLRequire to check various fields in a client's
>> certificate, is it implied that the certificate has already been
>> verified as signed by one of the CA's I've defined in
>> SSLCACertificateFile, for instance? In other words, this isn't just
>> checking that someone made a certificate with the correct DN values,
>> right? It's also verifying implicitly that it comes from an approved
>> CA? I assume the same is true if I use FakeBasicAuth?
>> Second, I was trying to test the above question by creating
>> self-signed certs, adding them to my browser, and making sure the
>> server would not authenticate them. But when I did, my browser
>> (Firefox) didn't even provide them as an option for me to use. I know
>> this isn't strictly an apache question, but I think this is probably
>> because of the "list of acceptable Certificate Authority names" sent
>> to the browser by my server...does that sound correct? If this is the
>> case, is there a way to get my server to tell the browser than any
>> certificate is fine, but still only actually authenticate those signed
>> by the appropriate CA's?
>  I've actually set this up and got it working.  I used TinyCA [1] to set up
> a Certificate Authority to sign certificates.  I then created a certificate
> for the server [2] and one for myself.  I then added the CA certificate as a
> trusted authority in my browser (Firefox,
> Preferences->Advanced->Encryption->View Certificates->Authorities, then
> imported the CA certificate) so I wouldn't get a warning when visiting my
> site.
>  I then added the CA certificate to the file specified by the Apache
> directive SSLCACertificateFile, so Apache would accept certificates signed
> by my Certificate Authority.
>  Next up, installing the certificate for ME into my browser (exported as
> PKCS#12) (Prefs->Advanced->Encryption->View Certificates->Your Certificates,
> then import).  I then configured my secure site to require a certificate for
> a directory---configuration below.
> <VirtualHost>
>  ServerName  
>  ServerAdmin 
>  DocumentRoot          /home/spc/web/sites/
>  ScriptAlias           /cgi-bin/ /home/spc/web/sites/
>  CustomLog             /home/spc/web/logs/ sslcombined
>  UseCanonicalName      on
>  SSLEngine             on
>  SSLCipherSuite        ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
>  SSLProtocol           all -SSLv2
>  SSLCertificateFile    /home/spc/web/sites/
>  SSLCertificateKeyFile /home/spc/web/sites/
>  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>        SSLOptions      +StdEnvVars
>  </Files>
>  <Directory /home/spc/web/sites/>
>        Options         -Indexes
>        SSLOptions      +StdEnvVars
>  </Directory>
>  <Directory /home/spc/web/sites/>
>    Options             All
>    AllowOverride       None
>  </Directory>
>  <Directory /home/spc/web/sites/>
>    SSLRequireSSL
>    SSLRequire  %{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories"  \
>            and %{SSL_CLIENT_S_DN_OU} eq "Clients"
>    SSLVerifyClient     require
>    SSLVerifyDepth      10
>  </Directory>
>  SetEnvIf      User-Agent      ".*MSIE.*"              \
>                nokeepalive ssl-unclean-shutdown        \
>                downgrade-1.0 force-response-1.0
> </VirtualHost>
>  I pulled the various directives from other files and placed them in one
> place, just to help me figure out what was going on.  Hope this helps some.
>  -spc (TinyCA made this all the much easier to deal with)
> [1]
> [2] and

Thanks for the detailed response, Sean. I'm still not entirely clear
on one thing, though: If I created my own certificate and gave the the
organization name "Conman Laboratories" and an Organzational unit name
of "Clients", would I be able to get onto your site? I'm 90% sure that
the answer is NO, because I'm not signed by the CA specified by the
SSLCACertificateFile directive, but the Apache documentation, as I
interpreted it, is not explicit that this directive applies an
implicit condition to the SSLRequire directive.


Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message