httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume BOULAMERY <guillaume.boulam...@notaires.fr>
Subject [users@httpd] Using SSL configuration and SSLVerifyClient Directive
Date Mon, 19 Nov 2012 13:19:28 GMT
Hello,


I would like to use SSLVerifiyClient in order to do 2-ways authentication.



Here is my situation:

Client < ------- > HAProxy < ------- > Apache (SSL authentication **) < -------
> tomcat/apache (Application server)



I have to authenticate clients before they can access to the application so it's the goal
of (**).

-    Client with no certificate/expired/revoked can't access;

-    Client with valid certificate can access;



1.       First try

I find mod_ssl_error (http://marcstern.tripod.com/mod_ssl_error/) which is helpful but based
on apache/mod_ssl versions and I don't want to maintain that.



2.       Second try

If I set "SSLVerifiyClient require" on server/vhost context, everything works fine at the
beginning.



Problems come when I want to redirect users based on the failed reason (no certificate/expired/revoked)
or to personalize 403 page;

I'm trying to use mod rewrite to do this but it doesn't work, it's always a 403 that I can't
catch with rewrite.



I see that %{SSL_CLIENT_VERIFY}x can give me some informations (NONE/failed:reason/...) but
this information doesn't work with all browser (another search for me is why they always give
NONE reason) ?!

IE6 works fine :

192.168.56.102 - FAILED:certificate has expired [16/Nov/2012:14:56:13 +0100] "GET /index.php
HTTP/1.1" 403 20

IE7 and above give :

192.168.56.102 - NONE [16/Nov/2012:14:56:00 +0100] "GET /index.php HTTP/1.1" 403 20



(Another problem is that Browsers have a custom 403 page)



Am I right or I missed something in my configuration ?



3.       third try

I find that "SSLVerifiyClient optional" is better to do what I want but I don't want to introduce
vulnerability.

What I understand is that if client doesn't provide a certificate, he can access to my site,
and if he provides one, this certificate is verify.

So to have the same control as "require", I have to set a strong verification based this times
on rewrite rules



        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS => give the same control as require
and introduce the possibility to filter on the reason ?!

Or/and

RewriteCond %{SSL:SSL_CLIENT_V_REMAIN} to control expiration and redirect with the proper
403



Can you confirm that point ?



For now, this last solution is the one I prefer but i'm open to any suggestion that can help
me.


Kind regards,
Guillaume Boulamery

Mime
View raw message