AW: [users@httpd] SSL termination on apache but clientcertificaterouted through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Allan,
 
If I get that right your solution would provide the client certificate to the backend server in the form of a header variable. Is that correct? Therefor the client certificate would not be available as part of a normal, standard conform SSL handshake but be essentially be copied in the normal http data part. I would then need to change my backend server's code to look for the certificate at a different place?
 
Don't get me wrong, if my developers here tell me that they can change our application server in this way, I'd be more than happy to use that solution. I just don't see how the server could validate the certificate in this scenario as he does not have access to the client but only to the reverse proxy.
 
Let me ask you this question: If I'd provide the client certificate to the backend application server during the normal SSL handshake between apache and application server - let's say I would copy it to the üplace where the apache certificate would normally be -, that surely would lead to a mismatch between the DN of the certificate and the hostname of the server presenting the certificate, would it not?
 
   Greetings,
 
Christian
 
 


Von: allan@xxxxxxx
Gesendet: Mi 14.09.2005 15:08
An: users@xxxxxxxxxxxxxxxx; Guenther, Christian
Cc: users@xxxxxxxxxxxxxxxx
Betreff: Re: [users@httpd] SSL termination on apache but client certificaterouted through

Quoting "Guenther, Christian" <Christian.Guenther@xxxxxxxxxxxx>:

> Hello List,
>
> I still have this question coming up: I have an apache configured as 
> a reverse proxy. Behind that proxy there is an application server. A 
> client is to connect to the apache via SSL and it needs to 
> authenticate to the internal application server with it's client 
> certificate. IS THIS AT ALL POSSIBLE?

yes, we have that.

>
>
>                  |                    |
>                  |                    |
>   +--------+     |     +--------+     |   +--------+
>   | client |-----|---->| apache |-----|-->| appsrv |
>   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
>   +--------+     |     +--------+     |   +--------+
>                  |                    |
>   initiates      |     encrypts       |   client logon
>   connection    FW1    with cert-2   FW2  with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the 
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared 
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to 
> validate the clients certificate, but ignores it - This is because 
> the apache has no knowledge of the application that wants the 
> authentication in the backend server.
> After the SSL connection between client and apache is established, 
> the apache initiates a new SSL connection to the application server. 
> This connection is encrypted with the appsrv's cert-3. Now the 
> application server want's the client to authenticate itself using 
> client certificate instead of with a normal username/password pair. 
> This, of course, fails at the moment, because the certificate of the 
> apache has no rights in the application and the client cert-1 is lost 
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the 
> client cert-1 to the backend application server? Is there a module 
> that I can use for this? I'm not sure at the moment if such a module 
> could work at all.

yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:

# internal function
RewriteMap  canonicalize int:escape

# client cert check
RewriteCond  %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ 
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]

# then use that env variable to forward it t the aopp server via a 
custom  # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT


with this you should have the backend code on the appserver pull out 
the requestheader value and authenticate via that


./allan


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux