Hi,I am new to the apache and need help with ssl authentication. I have compiled apache2 on Mac OS X. Configured it with basic authentication and that worked fine. I enabled ssl and that worked fine. Then I generated certificates for the server and clients, installed certificates in client's browsers and that worked OK too.
Then I tried to combine certificate authentication with basic authentication and that is were I run into a problem. I am not sure if that is possible to do? When I do that I get normal prompt form the server to accept the certificate, them the user name and password prompt. I type the user name and password, but then it comes again and again and prompts me for the user name and password over and over again.
When I do not use client certificate, then typing the user name and password works fine. Here is the section in httpd-ssl.conf where I am experimenting
<Directory "/usr/local/apache2/htdocs"> Options Indexes FollowSymLinks MultiViews SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificatePath "conf/certs" SSLCACertificateFile "conf/certs/cwsca.crt" AuthType Basic AuthName "CoreWafer" AuthUserFile /usr/local/apache2/conf/passwd/passwords AuthGroupFile /usr/local/apache2/conf/passwd/groups Require group CoreWafer Order allow,deny Allow from all </Directory> If I disable: SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificatePath "conf/certs" SSLCACertificateFile "conf/certs/cwsca.crt" then prompting for user name and password works fine. If I disable: AuthType Basic AuthName "CoreWafer" AuthUserFile /usr/local/apache2/conf/passwd/passwords AuthGroupFile /usr/local/apache2/conf/passwd/groups Require group CoreWaferthen using the client certificate works fine. It is when I try to use both, that is the client certificate and the password when I get into trouble.
I came a cross kx509 Web Authentication at: http://www.dice.inf.ed.ac.uk/groups/services/web/docs/kx509.htmlthat appears to be doing exactly what I wanted, which is, first use the client certificate to open ssl channel and then prompt for user name and password. However, they are using module mod_auth_ssl.c that I was not able to track down anywhere on the Internet. Also it appears that that module maybe for Apache 1.3 and not for Apache 2.
Any ideas/comments can this be done and how? Thank you very much, Shakti --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|