Re: SSL Client Certificates and CGI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On October 1, 2012 14:58 , Tom Browder <tom.browder@xxxxxxxxx> wrote:

On Mon, Oct 1, 2012 at 10:53 AM, Mark Montague <mark@xxxxxxxxxxx> wrote:

On October 1, 2012 9:17 , Tom Browder <tom.browder@xxxxxxxxx> wrote:

Inside the restricted area I have:

    SSLVerifyClient require

I have found that the configuration doesn't restrict CGI  programs at
all as I have them placed

...

Then something weird is going on.  "SSLVerifyClient require" should prevent
any client from accessing the CGI programs unless it has a valid
certificate.

But, Mark, does that apply if the CGI programs themselves are NOT
located in the restricted area?


No, but then you've solved the problem:
1. You have URI paths beneath which you require clients to present certificates in order to not get a HTTP 403 response. 2. You have CGIs, and you find that clients do not need to present certificates when they make requests for the CGI. 
3. You say that the CGIs from 2 are not in the area in 1.
4. You observe that the CGIs from 2 are not protected by the requirements for 1. This observation is what is expected, due to 3.
The solution -- as far as Apache HTTP Server is concerned -- is to move the CGIs into the area in 1, or, alternatively, configure area in 2 to also require clients to present SSL certificates.
If you prefer, you can make client certificates optional for the area in which you have the CGIs (while still requiring client certificates for area 1), but then you'll need to modify each one of your CGIs to check to see whether a client presented a certificate for a given request, and, based on that plus other details of the request, have each CGI make an authorization decision regarding whether to respond with the requested content or whether to respond with an HTTP 403 "Forbidden" error.
If this doesn't answer your question, then I'm not clear on what you are actually asking, and maybe someone else can respond better. Or you could try asking your question in a different way. 

--
  Mark Montague
  mark@xxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux