Hi Tom, the normal access log does not contain SSL information. If you want it, create a special log using the directive CustomLog, i.e.CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log" "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\" SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\" SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""
See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats for details. By the way, I suggest you to replace the "SSLVerifyClient require" with SSLVerifyClient optional SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" ErrorDocument 403 /certneedederror.html The big advantage is that when something goes wrong, the user will get a web page with a nice error message you have written, instead of some weird browser popup dialog window with an internal SSL error code. Best regards Martin Dne 21.1.2011 11:24, Tom Evans napsal(a):
Hi all Apache/2.2.17 (FreeBSD) I'm trying to use client certificates to authenticate my few users. I created a self-signed CA, server certificates and user certificates, and installed them in the appropriate places. I then created a vhost: <VirtualHost *:443> ServerName rc.ketbun.com SSLEngine on SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key SSLCACertificateFile /etc/ssl/ketbun/ca.crt SSLVerifyClient require SSLVerifyDepth 1 SSLCARevocationFile /etc/ssl/ketbun/ca.crl SSLOptions +FakeBasicAuth +StdEnvVars RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s </VirtualHost> This all works nicely, and users can only access if they have been issued with keys/certificates and installed them in their browser. However, I can't seem to get any of these details to be logged. Without creating phony .htpasswd files listing all my users with dummy passwords, is there any way to extract an attribute from the client certificate's DN and use that to populate r->username? FakeBasicAuth doesn't seem to want to do anything without the dummy .htpasswd, and whilst I can pass the information easily enough to the webapps without this (adding it as a request header), this doesn't help me get the info into the access logs. Any ideas? Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Supercomputing Center Brno Martin Kuba Institute of Computer Science email: makub@xxxxxxxxxxx Masaryk University http://www.ics.muni.cz/~makub/ Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775 --------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature