You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Scott Gifford <sg...@suspectclass.com> on 2004/09/15 17:54:36 UTC

[users@httpd] Requiring specific SSL certs for HTTP Auth logins

I'm using HTTP client certificate authentication in conjunction with
HTTP Auth (well, a mod_perl extension which emulates HTTP Auth using
cookies).  I'd like to require that the Common Name field of the
certificate match the HTTP username of the user logging in.  Is there
a way to do this?

I see how to have the certificate override the username and then
provide per-certificate passwords, but the usernames are passed to an
underlying authentication system, so that won't really work.

Thanks!

----ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Requiring specific SSL certs for HTTP Auth logins

Posted by Scott Gifford <sg...@suspectclass.com>.

Joe Orton <jo...@redhat.com> writes:

> On Wed, Sep 15, 2004 at 11:54:36AM -0400, Scott Gifford wrote:
>> I'm using HTTP client certificate authentication in conjunction with
>> HTTP Auth (well, a mod_perl extension which emulates HTTP Auth using
>> cookies).  I'd like to require that the Common Name field of the
>> certificate match the HTTP username of the user logging in.  Is there
>> a way to do this?
>> 
>> I see how to have the certificate override the username and then
>> provide per-certificate passwords, but the usernames are passed to an
>> underlying authentication system, so that won't really work.
>
> If you used real HTTP auth you could just do something like
>
>   SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}
>
> but using cookies it's more tricky.  

The mod_perl bit tries to emulate HTTP Auth, so that might work,
thanks!  I'll try it out this evening and post back my results.

----ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Requiring specific SSL certs for HTTP Auth logins

Posted by Scott Gifford <sg...@suspectclass.com>.

Joe Orton <jo...@redhat.com> writes:

> On Wed, Sep 15, 2004 at 11:54:36AM -0400, Scott Gifford wrote:
>> I'm using HTTP client certificate authentication in conjunction with
>> HTTP Auth (well, a mod_perl extension which emulates HTTP Auth using
>> cookies).  I'd like to require that the Common Name field of the
>> certificate match the HTTP username of the user logging in.  Is there
>> a way to do this?

[...]

> If you used real HTTP auth you could just do something like
>
>   SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}
>
> but using cookies it's more tricky.  

Actually it worked perfectly!  The cookie authentication is done
through some mod_perl magic that makes it look just like HTTP AUTH to
Apache, and apparently the mod_perl magic was powerful enough for this
use!  Thanks so much for your help!

---ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Requiring specific SSL certs for HTTP Auth logins

Posted by Joe Orton <jo...@redhat.com>.

On Wed, Sep 15, 2004 at 11:54:36AM -0400, Scott Gifford wrote:
> I'm using HTTP client certificate authentication in conjunction with
> HTTP Auth (well, a mod_perl extension which emulates HTTP Auth using
> cookies).  I'd like to require that the Common Name field of the
> certificate match the HTTP username of the user logging in.  Is there
> a way to do this?
> 
> I see how to have the certificate override the username and then
> provide per-certificate passwords, but the usernames are passed to an
> underlying authentication system, so that won't really work.

If you used real HTTP auth you could just do something like

  SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}

but using cookies it's more tricky.  An SSLRequire matching with a regex
match against the appropriate cookie header might work, otherwise
something more complicated using mod_rewrite (which can access SSL
variables directly in 2.0.51, using the %{SSL:SSL_CLIENT_S_DN_CN}
syntax).

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslrequire

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org