httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kuba <>
Subject Re: [users@httpd] mod_ssl, client certificates and r->username
Date Fri, 21 Jan 2011 11:07:19 GMT
Hi Tom,

the normal access log does not contain SSL information. If you want it,
create a special log using the directive CustomLog, i.e.

CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log" "%v:%p %h %l %u %t
\"%r\" %>s %b \"%{User-Agent}i\" SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"


See  for details.

By the way, I suggest you to replace the "SSLVerifyClient require" with

SSLVerifyClient optional
ErrorDocument 403 /certneedederror.html

The big advantage is that when something goes wrong, the user will get
a web page with a nice error message you have written, instead of some weird
browser popup dialog window with an internal SSL error code.

Best regards


Dne 21.1.2011 11:24, Tom Evans napsal(a):
> Hi all
> Apache/2.2.17 (FreeBSD)
> I'm trying to use client certificates to authenticate my few users. I
> created a self-signed CA, server certificates and user certificates,
> and installed them in the appropriate places. I then created a vhost:
> <VirtualHost *:443>
>      ServerName
>      SSLEngine on
>      SSLCertificateFile /etc/ssl/ketbun/
>      SSLCertificateKeyFile /etc/ssl/ketbun/
>      SSLCACertificateFile /etc/ssl/ketbun/ca.crt
>      SSLVerifyClient require
>      SSLVerifyDepth 1
>      SSLCARevocationFile /etc/ssl/ketbun/ca.crl
>      SSLOptions +FakeBasicAuth +StdEnvVars
>      RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s
> </VirtualHost>
> This all works nicely, and users can only access if they have been
> issued with keys/certificates and installed them in their browser.
> However, I can't seem to get any of these details to be logged.
> Without creating phony .htpasswd files listing all my users with dummy
> passwords, is there any way to extract an attribute from the client
> certificate's DN and use that to populate r->username? FakeBasicAuth
> doesn't seem to want to do anything without the dummy .htpasswd, and
> whilst I can pass the information easily enough to the webapps without
> this (adding it as a request header), this doesn't help me get the
> info into the access logs.
> Any ideas?
> Cheers
> Tom
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:>  for more info.
> To unsubscribe, e-mail:
>     "   from the digest:
> For additional commands, e-mail:

Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email:
Masaryk University   
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775

View raw message