RE: mod_ssl and client cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

For limiting the CA's you accept, look into the directive SSLCADNRequestFile.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile

regards,
tt
 

-----Original Message-----
From: Manuela.Vorazzo@xxxxxxxxx [mailto:Manuela.Vorazzo@xxxxxxxxx]
Sent: Thursday, May 31, 2007 9:23 AM
To: users@xxxxxxxxxxxxxxxx
Subject:  mod_ssl and client cert


Hello everyone. 
I've an apache 2.2.4 up and running! 
I've this configuration in my ssl.conf file: 

Listen xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName xxx.xxx.xxx.xxx:443
ErrorLog /opt/CHROOT/HTTPD-2.2.4/logs/error_log
TransferLog /opt/CHROOT/HTTPD-2.2.4/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.cert.temp
SSLCertificateKeyFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.key.temp
SSLCACertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/ProgettieServizi.cer
 <Location />
 SSLVerifyClient require
 SSLVerifyDepth  10
 SSLRequire %{SSL_CLIENT_I_DN_CN} eq "manuciao" 
</Location>
</VirtualHost> 

As you can see I want client authentication but with this configuration the server doesn't ask certificate for the browser. 
If I move  SSLVerifyClient and SSLVerifyDepth out of the location directive the server ask client cert but then it seems that the filter doesn't work. 
And the server ask me a cert I select it from my browser list and it is not signed from a CA with a common name "manuciao" but the server doesn't stop me from serving a page. 

How Can I see   SSL_CLIENT_I_DN_CN value? 
I've turn the debug on but I can't see anything for this variable. 

If I want a configuration where the server asks for client certificates for specific url and accepts only the one with a specific CA or a specific common name what have I to do???? 

What is the configuration in my ssl.conf file? 

Pleas let me know! 
Thanks in advance 


Manuela Vorazzo   






"Dale Ogilvie" <Dale.Ogilvie@xxxxxxxxxxxxx> 

31/05/2007 04.15
Please respond to
users@xxxxxxxxxxxxxxxx

To
<users@xxxxxxxxxxxxxxxx>
cc
Subject
 mod_proxy_balance never recovers from a worker error         with stickysession

	




Hello,

I am running Apache 2.2.3 on RedHat EL 5. I am trying to use Apache to load balance between two local instances of tomcat in order to utilize the vast quantities of RAM on our production server.

My httpd setup looks like this:

<Proxy balancer://tomcat>
   BalancerMember ajp://localhost:8009 min=10 max=100 route=tomcat1
loadfactor=1 retry=120
   BalancerMember ajp://localhost:8010 min=10 max=100 route=tomcat2
loadfactor=1 retry=120
</Proxy>

<Location /balancer-manager>
   SetHandler balancer-manager
   Order deny,allow
   Deny from all
   Allow from .trimblecorp.net
</Location>

ProxyPass /dscgi/ds.py/ balancer://tomcat/docushare/dsweb/
stickysession=JSESSIONID nofailover=On
ProxyPass /docushare balancer://tomcat/docushare stickysession=JSESSIONID nofailover=On ProxyPass /docushare/ balancer://tomcat/docushare/ stickysession=JSESSIONID nofailover=On

The problem is that if one of the workers gets into error status, any client with a JSESSIONID referencing that route is never able to receive a reply, Apache *always* responds with a 503 - Temporarily unavailable,
*until* another request is successful. I expected with "retry=120" that after 120 seconds the client would be able to use the errored out worker, but this is *not* the case.

Test case:

1. Start tomcats
2. Access /docushare, this succeeds and returns a JSESSIONID cookie referencing the member e.g.
JSESSIONID=BC90C156669FDF0194657FF27EC3AF99.tomcat2
3. Stop tomcats to simulate a backend failure 4. Access /docushare again in the same browser session, this fails with a 503 error (as expected). Balance-manager shows tomcat1 is OK, and
tomcat2 is Err
Error_log shows: All workers are in error state for route (tomcat2) 5. Start tomcats again 6. Wait for 120+ seconds to allow retry=120 to take effect 7. Access /docushare *using the session with the tomcat2 cookie*, expect success, get 503 error. I can repeat this step ad nauseam without ever getting a successful response.
Error_log shows: All workers are in error state for route (tomcat2) 8. To resolve the issue, delete the JSESSIONID cookie from the client or open up a new browser and access /docushare. Either of these seem to solve the problem for the "cookied" browser session.
9. Access /docushare, this succeeds, balance-manager shows both tomcat1 and tomcat2 are now OK even though the cookie returned to this request is for *tomcat1*.

So I would expect that the balance would retry the errored path successfully "retry" seconds after the failure. Is this a bug or do I have some misunderstanding and/or misconfiguration?

Regards

--
Dale Ogilvie
Senior Software Engineer
Trimble Navigation NZ Ltd
P O Box 8729
Riccarton
Christchurch
Ph:       +64 3 9635344
Fax:     +64 3 9635317


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





*******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinatario o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. 
Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux