httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Schöchlin ...@256bit.org>
Subject Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Date Wed, 25 Jun 2014 21:53:33 GMT
Hi,

in my understanding authentication using client certificates is just a
cryptographic validation of a public/private keypair over a already
established ssl-secured channel.
For example, it is possible to use a official certificate for the ssl
channel and my own ca for client certificate validation.

Meanwhile i tried to find the suitable RFC to get details about this
problem - probably http://tools.ietf.org/html/rfc5246#page-55 might be
the right one.
Does anybody have the suitable background knowhow of the RFC and mod_ssl
to help me to find out source of the problem?

Regards
Marc

Am 25.06.2014 21:15, schrieb Jens-U. Mozdzen:
> Hi Marc,
>
> Zitat von Marc Schöchlin <ms@256bit.org>:
>> Hello apache-users,
>>
>> i'm trying to implement client certificate authentication behind a f5
>> loadbalancer.
>>
>> My loadbalancer terminates ssl, and dispatches the decrypted
>> communication via network address translation to the backend apache
>> server.
>> The client certificate auth should be performed at the webserver.
>>
>> Unfortunately the "SSLVerifyClient" directive is ignored and access is
>> always granted.
>> It seems that without enabled ssl transport encryption, the logic for
>> "SSLVerifyClient" is deactivated.
>>
>>
>> Any hints?
>
> yes, your web server is only seeing the plain HTTP traffic - all the
> SSL "stuff" got stripped at the load balancer.
>
> You're so to speak asking to look at the post stamp of a letter, while
> you only received the content because your mail service already
> unpacked everything and dumped the envelope...
>
> Regards,
> Jens
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message