[users@httpd] selectively disclaim on SSL client-auth for some directories

[Christoph Anton Mitterer <ca...@scientia.net>]

Hi.

I wondered whether the following is somehow possible (I guess it's not).

I have a SSL vhost,... and I'd like to require SSL client cert
authentication _per default_ ... but selectively being able to not
demand it for some directories/files/locations.

Having something like:
<VirtualHost ..>

SSLVerifyClient require
...

<Directory /vhost/forThePublic>
SSLVerifyClient none
...
</Directory>

</VirtualHost>


seems to work not (as I'd like to have it), as the vhost wide setting is
used for the initial SSL handshake.

So even if a client just asks for something in /vhost/forThePublic he'd
first have to present a valid client cert.


Any other ways?


Thanks,
Chris.

Re: [users@httpd] selectively disclaim on SSL client-auth for some directories

[Tom Evans <te...@googlemail.com>]

On Thu, Dec 29, 2011 at 2:23 PM, Christoph Anton Mitterer
<ca...@scientia.net> wrote:
> Hi.
>
> I wondered whether the following is somehow possible (I guess it's not).
>
> I have a SSL vhost,... and I'd like to require SSL client cert
> authentication _per default_ ... but selectively being able to not
> demand it for some directories/files/locations.
>

It is possible, for a given definition of possible. The way to go
about it is to make client certificates optional, and then in areas
that are not for people without certificates make them only available
if the client certificates validated.

Eg on my SSL vhosts protected by client certs, I want the page that
tells people to get lost if they don't have one to be viewable by
them:

    SSLVerifyClient optional

    ErrorDocument 403 /errors/certneeded.html
    Alias /errors /usr/local/etc/apache22/errors

    <LocationMatch ^(?!/errors/)>
        SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
    </LocationMatch>

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] selectively disclaim on SSL client-auth for some directories [partially SOLVED]

[Christoph Anton Mitterer <ca...@scientia.net>]

Hey.

I guess I've found a solution on my own, well at least a partial one.
Here it is for those interested:

Don't set the "vhost-wide" SSLVerifyClient require directly in the
<VirtualHost> block, but either in a
<Location />
	SSLVerifyClient require
</Location>
or (if this is enough, as all the content lies in the filesystem) a
<Directory /vhost/documentRootPath/>
	SSLVerifyClient require
</Directory>
block.


Now it's possible to have single directories for which this is
selectively disabled, e.g.
<Directory /vhost/documentRootPath/public>
	SSLVerifyClient none
</Directory>
And it seems that no client certificate is requested, when a client
directly ("at first) accesses something
below /vhost/documentRootPath/public .


In all other cases, when a connection is opened a renegotiation will be
enforced "immediately".
Not sure what this means for authentication, though. The docs say the
request itself is before the renegotiation but the response already
afterwards.
If SSL is enforced (SSLRequireSSL), then it should IMHO be technically
possible to even have the first request (that was pre-renegotiation)
authenticated (i.e. the user is verified for it).
The server caches it and if then a client certificate is presented, it
could now, that even the first request was by the user with the DN
"foobar".

But I don't know whether Apache really does this.
Is there anybody who could confirm, that this (authentication) would be
secure even for the request part (of the first request) before the
renegotiation?


Thanks,
Chris.