httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Maeyhieux <b...@free.fr>
Subject Re: [users@httpd] SSL authentication by clients certificates or by IP
Date Thu, 14 Mar 2013 12:55:08 GMT

My problem is accurately Here. How could I use the 'Satisfy Any'
directive to check that client certificate is valid and have some
specific field.

Is 'Satisfy Any' compatible with
'SSLVerifyClient/SSLVerifyDepth/SSLRequire' directive ?

All my try to mix both brings me to an "Internal Server Error" display.


Relevant part of such a test:

        SSLVerifyClient optional
        SSLOptions +StdEnvVars +OptRenegotiate
        
        <Location />
                SSLRequireSSL
                SSLVerifyClient optional
                SSLVerifyDepth 5
                SSLRequire ( %{SSL_CLIENT_S_DN_O}  eq "European Space Agency" and %{SSL_CLIENT_S_DN_OU}
eq "DGC-C" )
                
                Order deny,allow
                Require IP 10.0.0.8
                Satisfy any
        </Location>


May be it's possible to test an environment variable set by
SSLVerifyClient such as SSL_CLIENT_VERIFY = SUCCESS.


I have no more idea so any one is welcome !


Zentoo 


On Thu, 2013-03-14 at 08:08 -0400, Yehuda Katz wrote:
> I am not near my computer, so I can't test this, but I believe what
> you are looking for is the "Satisfy Any" directive. 
> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
> 
> 
> - Y
> 
> On Thursday, March 14, 2013, Jean-Francois Maeyhieux wrote:
>         Hello everyone !
>         
>         
>            My purpose is simple:
>         
>         I want a unique SSL vhost that permit two way to access the
>         website:
>         a) People from specific IP could access the content
>         b) People with a valid client certificate could access the
>         content
>         
>         
>         I know how to achieve each access way but not both in the same
>         time.
>         How could I write a vhost to accept connection from specifics
>         IP and
>         from people with a valide client certificates ?
>         
>         
>         Zentoo
>         
>         
>         
>         
>         
>         My actual vhost that permit only client certificates but don't
>         accept
>         specific IP.
>         
>         
>         <VirtualHost x.x.x.x:443>
>                 SSLEngine on
>         
>         
>         SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
>         
>         SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
>                 SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
>                 SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>         
>                 SSLProtocol -SSLv2 -SSLv3 +TLSv1
>                 SSLHonorCipherOrder on
>                 SSLCipherSuite
>         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>         
>                 ServerName www.toto.com
>                 DocumentRoot /var/www/htdocs
>         
>                 ErrorLog  /var/logs/ssl_error_log
>                 CustomLog /var/logs/ssl_access_log combined
>         
>                 <Location />
>                         SSLRequireSSL
>                         # Note that SSLVerifyClient optional brings MS
>         IE incompatibility
>                         SSLVerifyClient optional
>                         SSLVerifyDepth 5
>                         SSLOptions OptRenegotiate
>                         SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T",
>         "X.Y.Z.U", "A.B.C.D") \
>                                    or ( %{SSL_CLIENT_S_DN_O}  eq
>         "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
>                 </Location>
>         
>         </VirtualHost>
>         
>         
>         
>         
>         
>         ---------------------------------------------------------------------
>         To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>         For additional commands, e-mail: users-help@httpd.apache.org
>         
> 
> 
> -- 
> Sent from a gizmo with a very small keyboard and hyper-active
> auto-correct.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message