httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kuba <ma...@ics.muni.cz>
Subject Re: [users@httpd] mod_ssl, client certificates and r->username
Date Fri, 21 Jan 2011 11:07:19 GMT
Hi Tom,

the normal access log does not contain SSL information. If you want it,
create a special log using the directive CustomLog, i.e.


CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log" "%v:%p %h %l %u %t
\"%r\" %>s %b \"%{User-Agent}i\" SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"

SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\" SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""

See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats  for details.

By the way, I suggest you to replace the "SSLVerifyClient require" with

SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
ErrorDocument 403 /certneedederror.html

The big advantage is that when something goes wrong, the user will get
a web page with a nice error message you have written, instead of some weird
browser popup dialog window with an internal SSL error code.

Best regards

Martin

Dne 21.1.2011 11:24, Tom Evans napsal(a):
> Hi all
>
> Apache/2.2.17 (FreeBSD)
>
> I'm trying to use client certificates to authenticate my few users. I
> created a self-signed CA, server certificates and user certificates,
> and installed them in the appropriate places. I then created a vhost:
>
> <VirtualHost *:443>
>      ServerName rc.ketbun.com
>      SSLEngine on
>      SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt
>      SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key
>      SSLCACertificateFile /etc/ssl/ketbun/ca.crt
>      SSLVerifyClient require
>      SSLVerifyDepth 1
>      SSLCARevocationFile /etc/ssl/ketbun/ca.crl
>      SSLOptions +FakeBasicAuth +StdEnvVars
>      RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s
> </VirtualHost>
>
> This all works nicely, and users can only access if they have been
> issued with keys/certificates and installed them in their browser.
> However, I can't seem to get any of these details to be logged.
>
> Without creating phony .htpasswd files listing all my users with dummy
> passwords, is there any way to extract an attribute from the client
> certificate's DN and use that to populate r->username? FakeBasicAuth
> doesn't seem to want to do anything without the dummy .htpasswd, and
> whilst I can pass the information easily enough to the webapps without
> this (adding it as a request header), this doesn't help me get the
> info into the access logs.
>
> Any ideas?
>
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------


Mime
View raw message