You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jean-Francois Maeyhieux <b4...@free.fr> on 2013/03/14 12:43:02 UTC
[users@httpd] SSL authentication by clients certificates or by IP
Hello everyone !
My purpose is simple:
I want a unique SSL vhost that permit two way to access the website:
a) People from specific IP could access the content
b) People with a valid client certificate could access the content
I know how to achieve each access way but not both in the same time.
How could I write a vhost to accept connection from specifics IP and
from people with a valide client certificates ?
Zentoo
My actual vhost that permit only client certificates but don't accept
specific IP.
<VirtualHost x.x.x.x:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
SSLProtocol -SSLv2 -SSLv3 +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
ServerName www.toto.com
DocumentRoot /var/www/htdocs
ErrorLog /var/logs/ssl_error_log
CustomLog /var/logs/ssl_access_log combined
<Location />
SSLRequireSSL
# Note that SSLVerifyClient optional brings MS IE incompatibility
SSLVerifyClient optional
SSLVerifyDepth 5
SSLOptions OptRenegotiate
SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
</Location>
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL authentication by clients certificates or by
IP
Posted by Jean-Francois Maeyhieux <b4...@free.fr>.
On Thu, 2013-03-14 at 14:33 +0100, Jan Vávra wrote:
> Hello,
> for a) I'd use directives Order, Allow, Deny for Directory
> for b) I'd use
> SSLVerifyClient require
> This options allows only such clients with client certificate iisued
> in the list defined by SSLCACertificateFile
>
I just need a valid certificate so i don't use SSLCACertificateFile.
I use "SSLVerifyClient require" too but T've test optional argument in
case that could help me to accept IP client or certificate owner ones.
> For more filtering by the specific field of cert eg. Common Name set
> SSLOptions -ExportCertData
> and do the check in a php script.
> In SSL_CLIENT_CERT environment variable will be the client cert in PEM
> format. You can parse it by php openssl functions.
> This is suitable for manage access via this script.
> eg. .../download.php?file=xxx.avi.
>
I don't need it: I'm checking with the SSLRequire directive the
following field: SSL_CLIENT_S_DN_O, SSL_CLIENT_S_DN_OU.
That does the job.
> It is possible there is a way ho to protect the whole content of
> Directory as it the htpasswd, .htaccess does.
> But on page http://httpd.apache.org/docs/2.2/howto/auth.html I do
> not see it. You should write an own apache module.
>
> Jan.
>
>
> > Hello everyone !
> >
> >
> > My purpose is simple:
> >
> > I want a unique SSL vhost that permit two way to access the website:
> > a) People from specific IP could access the content
> > b) People with a valid client certificate could access the content
> >
> >
> > I know how to achieve each access way but not both in the same time.
> > How could I write a vhost to accept connection from specifics IP and
> > from people with a valide client certificates ?
> >
> >
> > Zentoo
> >
> >
> >
> >
> >
> > My actual vhost that permit only client certificates but don't accept
> > specific IP.
> >
> >
> > <VirtualHost x.x.x.x:443>
> > SSLEngine on
> >
> > SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
> > SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> > SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> > SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
> >
> > SSLProtocol -SSLv2 -SSLv3 +TLSv1
> > SSLHonorCipherOrder on
> > SSLCipherSuite
> > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
> >
> > ServerName www.toto.com
> > DocumentRoot /var/www/htdocs
> >
> > ErrorLog /var/logs/ssl_error_log
> > CustomLog /var/logs/ssl_access_log combined
> >
> > <Location />
> > SSLRequireSSL
> > # Note that SSLVerifyClient optional brings MS IE incompatibility
> > SSLVerifyClient optional
> > SSLVerifyDepth 5
> > SSLOptions OptRenegotiate
> > SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
> > or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> > </Location>
> >
> > </VirtualHost>
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL authentication by clients certificates or by
IP
Posted by Jan Vávra <va...@602.cz>.
Hello,
for a) I'd use directives Order, Allow, Deny for Directory
for b) I'd use
SSLVerifyClient require
This options allows only such clients with client certificate iisued
in the list defined by SSLCACertificateFile
For more filtering by the specific field of cert eg. Common Name set
|SSLOptions ||-ExportCertData
and do the check in a php script.
In ||SSL_CLIENT_CERT| environment variable will be the client cert in
PEM format. You can parse it by php openssl functions.
This is suitable for manage access via this script. eg.
.../download.php?file=xxx.avi.
It is possible there is a way ho to protect the whole content of
Directory as it the htpasswd, .htaccess does.
But on page http://httpd.apache.org/docs/2.2/howto/auth.html I do not
see it. You should write an own apache module.
Jan.
> Hello everyone !
>
>
> My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the content
>
>
> I know how to achieve each access way but not both in the same time.
> How could I write a vhost to accept connection from specifics IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
> SSLEngine on
>
> SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
> SSLProtocol -SSLv2 -SSLv3 +TLSv1
> SSLHonorCipherOrder on
> SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>
> ServerName www.toto.com
> DocumentRoot /var/www/htdocs
>
> ErrorLog /var/logs/ssl_error_log
> CustomLog /var/logs/ssl_access_log combined
>
> <Location />
> SSLRequireSSL
> # Note that SSLVerifyClient optional brings MS IE incompatibility
> SSLVerifyClient optional
> SSLVerifyDepth 5
> SSLOptions OptRenegotiate
> SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
> or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] SSL authentication by clients certificates or by
IP
Posted by Jean-Francois Maeyhieux <b4...@free.fr>.
My problem is accurately Here. How could I use the 'Satisfy Any'
directive to check that client certificate is valid and have some
specific field.
Is 'Satisfy Any' compatible with
'SSLVerifyClient/SSLVerifyDepth/SSLRequire' directive ?
All my try to mix both brings me to an "Internal Server Error" display.
Relevant part of such a test:
SSLVerifyClient optional
SSLOptions +StdEnvVars +OptRenegotiate
<Location />
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 5
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "European Space Agency" and %{SSL_CLIENT_S_DN_OU} eq "DGC-C" )
Order deny,allow
Require IP 10.0.0.8
Satisfy any
</Location>
May be it's possible to test an environment variable set by
SSLVerifyClient such as SSL_CLIENT_VERIFY = SUCCESS.
I have no more idea so any one is welcome !
Zentoo
On Thu, 2013-03-14 at 08:08 -0400, Yehuda Katz wrote:
> I am not near my computer, so I can't test this, but I believe what
> you are looking for is the "Satisfy Any" directive.
> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>
>
> - Y
>
> On Thursday, March 14, 2013, Jean-Francois Maeyhieux wrote:
> Hello everyone !
>
>
> My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the
> website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the
> content
>
>
> I know how to achieve each access way but not both in the same
> time.
> How could I write a vhost to accept connection from specifics
> IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't
> accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
> SSLEngine on
>
>
> SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
>
> SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
> SSLProtocol -SSLv2 -SSLv3 +TLSv1
> SSLHonorCipherOrder on
> SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>
> ServerName www.toto.com
> DocumentRoot /var/www/htdocs
>
> ErrorLog /var/logs/ssl_error_log
> CustomLog /var/logs/ssl_access_log combined
>
> <Location />
> SSLRequireSSL
> # Note that SSLVerifyClient optional brings MS
> IE incompatibility
> SSLVerifyClient optional
> SSLVerifyDepth 5
> SSLOptions OptRenegotiate
> SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T",
> "X.Y.Z.U", "A.B.C.D") \
> or ( %{SSL_CLIENT_S_DN_O} eq
> "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> --
> Sent from a gizmo with a very small keyboard and hyper-active
> auto-correct.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL authentication by clients certificates or by IP
Posted by Yehuda Katz <ye...@ymkatz.net>.
I am not near my computer, so I can't test this, but I believe what you are
looking for is the "Satisfy Any" directive.
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
- Y
On Thursday, March 14, 2013, Jean-Francois Maeyhieux wrote:
> Hello everyone !
>
>
> My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the content
>
>
> I know how to achieve each access way but not both in the same time.
> How could I write a vhost to accept connection from specifics IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
> SSLEngine on
>
> SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
> SSLProtocol -SSLv2 -SSLv3 +TLSv1
> SSLHonorCipherOrder on
> SSLCipherSuite
>
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>
> ServerName www.toto.com
> DocumentRoot /var/www/htdocs
>
> ErrorLog /var/logs/ssl_error_log
> CustomLog /var/logs/ssl_access_log combined
>
> <Location />
> SSLRequireSSL
> # Note that SSLVerifyClient optional brings MS IE
> incompatibility
> SSLVerifyClient optional
> SSLVerifyDepth 5
> SSLOptions OptRenegotiate
> SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U",
> "A.B.C.D") \
> or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and
> %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <javascript:;>
> For additional commands, e-mail: users-help@httpd.apache.org<javascript:;>
>
>
--
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.