On Tue, Jan 20, 2009 at 2:30 AM, Sean Conner <spc@xxxxxxxxxx> wrote:
> It was thus said that the Great Brian Mearns once stated:
>> I just want to double check some things because I implement ssl client
>> auth on my server, to make sure I really understand what I'm doing:
>>
>> First, if I use SSLRequire to check various fields in a client's
>> certificate, is it implied that the certificate has already been
>> verified as signed by one of the CA's I've defined in
>> SSLCACertificateFile, for instance? In other words, this isn't just
>> checking that someone made a certificate with the correct DN values,
>> right? It's also verifying implicitly that it comes from an approved
>> CA? I assume the same is true if I use FakeBasicAuth?
>>
>> Second, I was trying to test the above question by creating
>> self-signed certs, adding them to my browser, and making sure the
>> server would not authenticate them. But when I did, my browser
>> (Firefox) didn't even provide them as an option for me to use. I know
>> this isn't strictly an apache question, but I think this is probably
>> because of the "list of acceptable Certificate Authority names" sent
>> to the browser by my server...does that sound correct? If this is the
>> case, is there a way to get my server to tell the browser than any
>> certificate is fine, but still only actually authenticate those signed
>> by the appropriate CA's?
>
> I've actually set this up and got it working. I used TinyCA [1] to set up
> a Certificate Authority to sign certificates. I then created a certificate
> for the server [2] and one for myself. I then added the CA certificate as a
> trusted authority in my browser (Firefox,
> Preferences->Advanced->Encryption->View Certificates->Authorities, then
> imported the CA certificate) so I wouldn't get a warning when visiting my
> site.
>
> I then added the CA certificate to the file specified by the Apache
> directive SSLCACertificateFile, so Apache would accept certificates signed
> by my Certificate Authority.
>
> Next up, installing the certificate for ME into my browser (exported as
> PKCS#12) (Prefs->Advanced->Encryption->View Certificates->Your Certificates,
> then import). I then configured my secure site to require a certificate for
> a directory---configuration below.
>
> <VirtualHost 66.252.224.242:443>
> ServerName secure.conman.org
> ServerAdmin sean@xxxxxxxxxx
> DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs
> ScriptAlias /cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
> CustomLog /home/spc/web/logs/s-secure.conman.org sslcombined
> UseCanonicalName on
>
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
> SSLProtocol all -SSLv2
> SSLCertificateFile /home/spc/web/sites/secure.conman.org/server.crt
> SSLCertificateKeyFile /home/spc/web/sites/secure.conman.org/server.key
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
>
> <Directory /home/spc/web/sites/secure.conman.org/cgi-bin>
> Options -Indexes
> SSLOptions +StdEnvVars
> </Directory>
>
> <Directory /home/spc/web/sites/secure.conman.org/s-htdocs>
> Options All
> AllowOverride None
> </Directory>
>
> <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
> SSLRequireSSL
> SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
> and %{SSL_CLIENT_S_DN_OU} eq "Clients"
> SSLVerifyClient require
> SSLVerifyDepth 10
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> </VirtualHost>
>
> I pulled the various directives from other files and placed them in one
> place, just to help me figure out what was going on. Hope this helps some.
>
> -spc (TinyCA made this all the much easier to deal with)
>
> [1] http://tinyca.sm-zone.net/
>
> [2] http://secure.conman.org/ and https://secure.conman.org/
>
Thanks for the detailed response, Sean. I'm still not entirely clear
on one thing, though: If I created my own certificate and gave the the
organization name "Conman Laboratories" and an Organzational unit name
of "Clients", would I be able to get onto your site? I'm 90% sure that
the answer is NO, because I'm not signed by the CA specified by the
SSLCACertificateFile directive, but the Apache documentation, as I
interpreted it, is not explicit that this directive applies an
implicit condition to the SSLRequire directive.
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|