Using SSL configuration and SSLVerifyClient Directive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

 

I would like to use SSLVerifiyClient in order to do 2-ways authentication.

 

Here is my situation:

Client < ------- > HAProxy < ------- > Apache (SSL authentication **) < ------- > tomcat/apache (Application server)

 

I have to authenticate clients before they can access to the application so it’s the goal of (**).

-    Client with no certificate/expired/revoked can’t access;

-    Client with valid certificate can access;

 

1.       First try

I find mod_ssl_error (http://marcstern.tripod.com/mod_ssl_error/) which is helpful but based on apache/mod_ssl versions and I don’t want to maintain that.

 

2.       Second try

If I set “SSLVerifiyClient require” on server/vhost context, everything works fine at the beginning.

 

Problems come when I want to redirect users based on the failed reason (no certificate/expired/revoked) or to personalize 403 page;

I’m trying to use mod rewrite to do this but it doesn’t work, it’s always a 403 that I can’t catch with rewrite.

 

I see that %{SSL_CLIENT_VERIFY}x can give me some informations (NONE/failed:reason/…) but this information doesn’t work with all browser (another search for me is why they always give NONE reason) ?!

IE6 works fine :

192.168.56.102 - FAILED:certificate has expired [16/Nov/2012:14:56:13 +0100] "GET /index.php HTTP/1.1" 403 20

IE7 and above give :

192.168.56.102 - NONE [16/Nov/2012:14:56:00 +0100] "GET /index.php HTTP/1.1" 403 20

 

(Another problem is that Browsers have a custom 403 page)

 

Am I right or I missed something in my configuration ?

 

3.       third try

I find that “SSLVerifiyClient optional” is better to do what I want but I don’t want to introduce vulnerability.

What I understand is that if client doesn’t provide a certificate, he can access to my site, and if he provides one, this certificate is verify.

So to have the same control as “require”, I have to set a strong verification based this times on rewrite rules

 

        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS => give the same control as require and introduce the possibility to filter on the reason ?!

Or/and

RewriteCond %{SSL:SSL_CLIENT_V_REMAIN} to control expiration and redirect with the proper 403

 

Can you confirm that point ?

 

For now, this last solution is the one I prefer but i’m open to any suggestion that can help me.

 

Kind regards,

Guillaume Boulamery

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux