It was thus said that the Great Brian Mearns once stated:
> I just want to double check some things because I implement ssl client
> auth on my server, to make sure I really understand what I'm doing:
>
> First, if I use SSLRequire to check various fields in a client's
> certificate, is it implied that the certificate has already been
> verified as signed by one of the CA's I've defined in
> SSLCACertificateFile, for instance? In other words, this isn't just
> checking that someone made a certificate with the correct DN values,
> right? It's also verifying implicitly that it comes from an approved
> CA? I assume the same is true if I use FakeBasicAuth?
>
> Second, I was trying to test the above question by creating
> self-signed certs, adding them to my browser, and making sure the
> server would not authenticate them. But when I did, my browser
> (Firefox) didn't even provide them as an option for me to use. I know
> this isn't strictly an apache question, but I think this is probably
> because of the "list of acceptable Certificate Authority names" sent
> to the browser by my server...does that sound correct? If this is the
> case, is there a way to get my server to tell the browser than any
> certificate is fine, but still only actually authenticate those signed
> by the appropriate CA's?
I've actually set this up and got it working. I used TinyCA [1] to set up
a Certificate Authority to sign certificates. I then created a certificate
for the server [2] and one for myself. I then added the CA certificate as a
trusted authority in my browser (Firefox,
Preferences->Advanced->Encryption->View Certificates->Authorities, then
imported the CA certificate) so I wouldn't get a warning when visiting my
site.
I then added the CA certificate to the file specified by the Apache
directive SSLCACertificateFile, so Apache would accept certificates signed
by my Certificate Authority.
Next up, installing the certificate for ME into my browser (exported as
PKCS#12) (Prefs->Advanced->Encryption->View Certificates->Your Certificates,
then import). I then configured my secure site to require a certificate for
a directory---configuration below.
<VirtualHost 66.252.224.242:443>
ServerName secure.conman.org
ServerAdmin sean@xxxxxxxxxx
DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs
ScriptAlias /cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
CustomLog /home/spc/web/logs/s-secure.conman.org sslcombined
UseCanonicalName on
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
SSLProtocol all -SSLv2
SSLCertificateFile /home/spc/web/sites/secure.conman.org/server.crt
SSLCertificateKeyFile /home/spc/web/sites/secure.conman.org/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /home/spc/web/sites/secure.conman.org/cgi-bin>
Options -Indexes
SSLOptions +StdEnvVars
</Directory>
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs>
Options All
AllowOverride None
</Directory>
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_OU} eq "Clients"
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
I pulled the various directives from other files and placed them in one
place, just to help me figure out what was going on. Hope this helps some.
-spc (TinyCA made this all the much easier to deal with)
[1] http://tinyca.sm-zone.net/
[2] http://secure.conman.org/ and https://secure.conman.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|