Hi Tom, the normal access log does not contain SSL information. If you want it, create a special log using the directive CustomLog, i.e.CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log" "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\" SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\" SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""
See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats for details.
By the way, I suggest you to replace the "SSLVerifyClient require" with
SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
ErrorDocument 403 /certneedederror.html
The big advantage is that when something goes wrong, the user will get
a web page with a nice error message you have written, instead of some weird
browser popup dialog window with an internal SSL error code.
Best regards
Martin
Dne 21.1.2011 11:24, Tom Evans napsal(a):
Hi all
Apache/2.2.17 (FreeBSD)
I'm trying to use client certificates to authenticate my few users. I
created a self-signed CA, server certificates and user certificates,
and installed them in the appropriate places. I then created a vhost:
<VirtualHost *:443>
ServerName rc.ketbun.com
SSLEngine on
SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt
SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key
SSLCACertificateFile /etc/ssl/ketbun/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/ketbun/ca.crl
SSLOptions +FakeBasicAuth +StdEnvVars
RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s
</VirtualHost>
This all works nicely, and users can only access if they have been
issued with keys/certificates and installed them in their browser.
However, I can't seem to get any of these details to be logged.
Without creating phony .htpasswd files listing all my users with dummy
passwords, is there any way to extract an attribute from the client
certificate's DN and use that to populate r->username? FakeBasicAuth
doesn't seem to want to do anything without the dummy .htpasswd, and
whilst I can pass the information easily enough to the webapps without
this (adding it as a request header), this doesn't help me get the
info into the access logs.
Any ideas?
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Supercomputing Center Brno Martin Kuba Institute of Computer Science email: makub@xxxxxxxxxxx Masaryk University http://www.ics.muni.cz/~makub/ Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775 --------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|