httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] Re: Access control to allow local clients or remote with SSL client certificate
Date Fri, 16 Jun 2017 11:27:44 GMT
Technically it should work, but you may also want to:

1. Check that client belongs to some a organization/unit as specified in 
certificate, see 
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire for 
example. (BTW I don't know if %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ is still 
necessary, but I'd specify it just in case.)

2. Configure revocation list with using SSLCARevocationCheck and 
SSLCARevocationFile (see same page). But be careful to update your CRL 
file and reload your server timely (there's usually a cron job for 
this), or it'll stop accepting any certificates as soon as CRL expires.

Without these changes you are granting access to any certificate you (or 
any other CAs specified in SSLCACertificateFile) ever issued, even to 
unrelated or obsolete ones.

--

With Best Regards,
Marat Khalili

On 16/06/17 12:24, Darren S. wrote:
> I ended up with this as a test; is this as easy as it should be?
> <VirtualHost _default_:443>
>          ServerName example.com
>          DocumentRoot /var/www/app
>
>          SSLEngine On
>          SSLCertificateFile /etc/ssl/certs/server.crt
>          SSLCertificateKeyFile /etc/ssl/private/server.key
>          SSLCACertificateFile "/etc/apache2/client-ca.crt"
>          <Directory /var/www/app/webroot>
>                  SSLVerifyClient optional
>                  SSLVerifyDepth 1
>                  Options -Indexes
>                  AllowOverride all
>                  <RequireAny>
>                          Require ssl-verify-client
>                          Require local
>                  </RequireAny>
>          </Directory>
> </VirtualHost>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message