You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rick Yorgason <ri...@ldagames.com> on 2008/09/16 04:24:56 UTC
[users@httpd] Making SSLVerifyClient optional using mod_rewrite and Alias?
Hi everyone,
Here's the challenge I'm trying to solve. I'd like to use the
SSLVerifyClient directive to offer better security to users who know
about client certificates, but only for users who opt in to the extra
security.
To make matters more difficult, I'd like to use the same URLs for my
pages regardless of whether they're using client certificates or not.
How would you accomplish this?
I know the first thing everybody is going to think is "If you want it to
be optional, just use 'SSLVerifyClient optional_no_ca'", but that runs
the risk of the user being *asked* for their cert, even if they have no
idea what a client cert is. Sure, they can just hit cancel and get in,
but it looks like a bug to people who don't know better.
I've managed to hack together this little work-around, and it works!
But I'm not sure it's a good idea:
> RewriteCond %{HTTP_COOKIE} cert=opt
> RewriteRule ^/(.*) /certopt/$1 [NS,PT]
>
> <Location /certopt>
> SSLVerifyClient optional_no_ca
> SSLOptions +StdEnvVars +ExportCertData
> </Location>
>
> Alias /certopt C:/Projects/website
(In the example I'm using a cookie to change whether or not I'm using
the extra verification, under the assumption that the final PHP code
will do proper validation, but I could use any method mod_rewrite supports.)
So basically, I'm using one method of rewriting the URL (mod_rewrite) so
I can pick up the extra SSL directives, then I'm using a *different*
method of URL rewriting (alias) to return the URL to its original state.
Only thing is, I'm not 100% certain that this is actually *supposed* to
work. Can I rely on this working in future versions? Is it a terrible
idea? Is there a better way to do it? Am I going to be forced to learn
the inner workings of mod_ssl and write a patch if I want this feature?
Thanks,
-Rick-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Making SSLVerifyClient optional using mod_rewrite
and Alias?
Posted by Rick Yorgason <ri...@ldagames.com>.
Torsten Foertsch wrote:
> On Tue 16 Sep 2008, Rick Yorgason wrote:
> There is a major drawback in that approach as with allowing SSL
> renegotiation in general. You cannot deploy large POST requests.
Unfortunately, if POST requests are hampered, then it's really not going
to be useful to me.
> Now a few remarks to think about. You said you want that for extra
> security. For whom? The SSL connection is not better encrypted if the
> client supplies a certificate. The only thing a that a client
> certificate can achieve is to make sure for the server to whom it
> talks. The client gains nothing.
>
> But in that case using optional_no_ca is complete nonsense. Because if
> the server doesn't have a trusted CA certificate to verify the
> certificate supplied by the client the client can fake any identity it
> wants.
It's not useful for knowing *who* you're talking to, per se, but it's
useful for knowing that you're talking to the *same* person you were
talking to before, right? That way if somebody has cookies that
identify their session or their persistent login, then a session
fixation attack would be useless unless you can also steal their private
key.
Of course, I'd still be careful to make sure everything is as secure as
possible for people who don't have certs (i.e. most of them) but client
certs seem like a Good Thing, so I like the idea of offering them to
people (especially admins).
Cheers,
-Rick-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Making SSLVerifyClient optional using mod_rewrite and Alias?
Posted by Torsten Foertsch <to...@gmx.net>.
On Tue 16 Sep 2008, Rick Yorgason wrote:
> Here's the challenge I'm trying to solve. I'd like to use the
> SSLVerifyClient directive to offer better security to users who know
> about client certificates, but only for users who opt in to the extra
> security.
>
> To make matters more difficult, I'd like to use the same URLs for my
> pages regardless of whether they're using client certificates or not.
>
> How would you accomplish this?
Just an idea:
SSL is connection level stuff. Once the SSL negotiation is over all
those settings can be used by all (sub)requests that use that
connection. So, configure your URL for SSL but without client
certification. Then decide somehow whether you want a client
certificate. If yes, issue a subrequest to a special URL that is
configured so that it requires a client certificate. That will trigger
a new SSL handshake where the server requires the certificate. With
mod_rewrite you can issue a subrequest using %{LA-U:variable}. Which
URL is used in that subreq I don't know.
I have used that idea a few times but the configuration (subreq etc) was
done with mod_perl.
There is a major drawback in that approach as with allowing SSL
renegotiation in general. You cannot deploy large POST requests.
Normally the SSL handshake is done before any other data is sent. If
the server suddenly decides it wants to renegotiate and the client has
sent a large POST request then there is user data on the wire while the
server expects the SSL handshake.
Now a few remarks to think about. You said you want that for extra
security. For whom? The SSL connection is not better encrypted if the
client supplies a certificate. The only thing a that a client
certificate can achieve is to make sure for the server to whom it
talks. The client gains nothing.
But in that case using optional_no_ca is complete nonsense. Because if
the server doesn't have a trusted CA certificate to verify the
certificate supplied by the client the client can fake any identity it
wants.
Just my €0.02,
Torsten
--
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org