Issue with HTTPS mutual authentication using Apache2.2 as a reverse proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everybody,

i'm currently configuring mutual authentication between an Apache2.2 Reverse Proxy and another backend Webserver product.
the link channel is :

User BROWSER --HTTPS(simple auth)--> Reverse Proxy (Apache2.2) --> HTTPS(mutual auth) --> Backend webserver

The client certificate i use has been signed by an intermediate authority (the chain is composed by 4 CA). Unfortunately, the backend server can only send the top level CA's DN in the "Acceptable client certificate CA names" as part of the TLS proposal process.

Moreover, it seems that Apache2.2 needs all the DN of the CA authorities that constitute the CA chain in this proposal.
Actually, if it's not the case, Apache2.2 does not select any certificate :

>> Proxy client certificate callback: (mywebsite.mydomain.com:443) no client certificate found!?

This config is working great when the backend server is also an Apache2.2 webserver.


So first, is it correct ? and if it's not, what do i need to configure the web server in order to make it working!


Thanks in advance,


PS :

You can find here-below some of my reverse proxy vhost config :

SSLEngine on
SSLCertificateFile my_ssl_server_certificate.crt
SSLCertificateKeyFile my_ssl_server_key.key
SSLCACertificateFile my_ssl_server_ca.pem

SSLProxyEngine on
SSLProxyMachineCertificateFile my_ssl_client_cert_and_key.pem
SSLProxyVerify require
SSLProxyVerifyDepth 3
SSLProxyCACertificateFile backend_ca_cert.pem


François S.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux