Hi everybody,i'm currently configuring mutual authentication between an Apache2.2 Reverse Proxy and another backend Webserver product.
the link channel is :User BROWSER --HTTPS(simple auth)--> Reverse Proxy (Apache2.2) --> HTTPS(mutual auth) --> Backend webserver
The client certificate i use has been signed by an intermediate authority (the chain is composed by 4 CA). Unfortunately, the backend server can only send the top level CA's DN in the "Acceptable client certificate CA names" as part of the TLS proposal process.
Moreover, it seems that Apache2.2 needs all the DN of the CA authorities that constitute the CA chain in this proposal.
Actually, if it's not the case, Apache2.2 does not select any certificate :>> Proxy client certificate callback: (mywebsite.mydomain.com:443) no client certificate found!?
This config is working great when the backend server is also an Apache2.2 webserver.
So first, is it correct ? and if it's not, what do i need to configure the web server in order to make it working!
Thanks in advance, PS : You can find here-below some of my reverse proxy vhost config : SSLEngine on SSLCertificateFile my_ssl_server_certificate.crt SSLCertificateKeyFile my_ssl_server_key.key SSLCACertificateFile my_ssl_server_ca.pem SSLProxyEngine on SSLProxyMachineCertificateFile my_ssl_client_cert_and_key.pem SSLProxyVerify require SSLProxyVerifyDepth 3 SSLProxyCACertificateFile backend_ca_cert.pem François S. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|