You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tom Evans <te...@googlemail.com> on 2011/01/21 11:24:54 UTC

[users@httpd] mod_ssl, client certificates and r->username

Hi all

Apache/2.2.17 (FreeBSD)

I'm trying to use client certificates to authenticate my few users. I
created a self-signed CA, server certificates and user certificates,
and installed them in the appropriate places. I then created a vhost:

<VirtualHost *:443>
    ServerName rc.ketbun.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt
    SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key
    SSLCACertificateFile /etc/ssl/ketbun/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCARevocationFile /etc/ssl/ketbun/ca.crl
    SSLOptions +FakeBasicAuth +StdEnvVars
    RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s
</VirtualHost>

This all works nicely, and users can only access if they have been
issued with keys/certificates and installed them in their browser.
However, I can't seem to get any of these details to be logged.

Without creating phony .htpasswd files listing all my users with dummy
passwords, is there any way to extract an attribute from the client
certificate's DN and use that to populate r->username? FakeBasicAuth
doesn't seem to want to do anything without the dummy .htpasswd, and
whilst I can pass the information easily enough to the webapps without
this (adding it as a request header), this doesn't help me get the
info into the access logs.

Any ideas?


Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_ssl, client certificates and r->username

Posted by "David (Dave) Donnan" <da...@thalesgroup.com>.

Hello.

FYI; If you want to use the following:

    SSLUserName *SSL_CLIENT_S_DN_UID*

You need (equal to, or greater than) httpd-2.2.14.
See BUG https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
I'm not sure why the BUG has been reopened - It works great, for me, 
with httpd-2.2.14.

PS: You should also see the fantastic work done by Johannes 
(authenticate with cert, if available, if not LDAP Basic account/password):

    http://sourceforge.net/projects/modauthcertific/

Cdlt, Dave
---------

On 21/01/2011 12:34, Tom Evans wrote:
> On Fri, Jan 21, 2011 at 11:18 AM, Martin Kuba<ma...@ics.muni.cz>  wrote:
>> Then I think that what you are looking for is the SSLUserName directive
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>>
>> Cheers
>>
>> Martin
> Doh, how did I miss that one?! Thanks so much Martin!
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] mod_ssl, client certificates and r->username

Posted by Tom Evans <te...@googlemail.com>.

On Fri, Jan 21, 2011 at 11:18 AM, Martin Kuba <ma...@ics.muni.cz> wrote:
> Then I think that what you are looking for is the SSLUserName directive
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>
> Cheers
>
> Martin

Doh, how did I miss that one?! Thanks so much Martin!

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_ssl, client certificates and r->username

Posted by Martin Kuba <ma...@ics.muni.cz>.

Dne 21.1.2011 12:11, Tom Evans napsal(a):
> Ah, see that's the thing - they can also authenticate in other ways, I
> was slightly simplifying the situation. I was hoping that I could get
> the same user information into the access logs regardless of how they
> authenticate.

Then I think that what you are looking for is the SSLUserName directive
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

Cheers

Martin
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------

Re: [users@httpd] mod_ssl, client certificates and r->username

Posted by Tom Evans <te...@googlemail.com>.

On Fri, Jan 21, 2011 at 11:07 AM, Martin Kuba <ma...@ics.muni.cz> wrote:
> Hi Tom,
>
> the normal access log does not contain SSL information. If you want it,
> create a special log using the directive CustomLog, i.e.
>
>
> CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log"
> "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\"
> SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"
> SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\"
> SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""

Ah, see that's the thing - they can also authenticate in other ways, I
was slightly simplifying the situation. I was hoping that I could get
the same user information into the access logs regardless of how they
authenticate.

>
> See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats  for
> details.
>
> By the way, I suggest you to replace the "SSLVerifyClient require" with
>
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> ErrorDocument 403 /certneedederror.html
>
> The big advantage is that when something goes wrong, the user will get
> a web page with a nice error message you have written, instead of some weird
> browser popup dialog window with an internal SSL error code.

Yes, that is much better! Thanks :)

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_ssl, client certificates and r->username

Posted by Martin Kuba <ma...@ics.muni.cz>.

Hi Tom,

the normal access log does not contain SSL information. If you want it,
create a special log using the directive CustomLog, i.e.


CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log" "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\" 
SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\" SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""

See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats  for details.

By the way, I suggest you to replace the "SSLVerifyClient require" with

SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
ErrorDocument 403 /certneedederror.html

The big advantage is that when something goes wrong, the user will get
a web page with a nice error message you have written, instead of some weird
browser popup dialog window with an internal SSL error code.

Best regards

Martin

Dne 21.1.2011 11:24, Tom Evans napsal(a):
> Hi all
>
> Apache/2.2.17 (FreeBSD)
>
> I'm trying to use client certificates to authenticate my few users. I
> created a self-signed CA, server certificates and user certificates,
> and installed them in the appropriate places. I then created a vhost:
>
> <VirtualHost *:443>
>      ServerName rc.ketbun.com
>      SSLEngine on
>      SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt
>      SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key
>      SSLCACertificateFile /etc/ssl/ketbun/ca.crt
>      SSLVerifyClient require
>      SSLVerifyDepth 1
>      SSLCARevocationFile /etc/ssl/ketbun/ca.crl
>      SSLOptions +FakeBasicAuth +StdEnvVars
>      RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s
> </VirtualHost>
>
> This all works nicely, and users can only access if they have been
> issued with keys/certificates and installed them in their browser.
> However, I can't seem to get any of these details to be logged.
>
> Without creating phony .htpasswd files listing all my users with dummy
> passwords, is there any way to extract an attribute from the client
> certificate's DN and use that to populate r->username? FakeBasicAuth
> doesn't seem to want to do anything without the dummy .htpasswd, and
> whilst I can pass the information easily enough to the webapps without
> this (adding it as a request header), this doesn't help me get the
> info into the access logs.
>
> Any ideas?
>
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------

[users@httpd] Re: Name-based SSL virtual hosts

Posted by Andrew Schulman <an...@alumni.utexas.net>.

> I do a similar thing, except I now always get wildcard certificates,
> eg for *.foobar.com. Then, I can host all foobar.com subdomains from
> one IP on SSL, no SNI support required neither in browser nor server.
> Wildcard certs can be a little bit more expensive..

Yes, a wildcard cert is the solution to this problem.  I highly recommend
StartSSL for this.  Their Class 2 cert costs $100 ($50 for identity
validation + $50 for organization validation) for 2 years, and includes
wildcards and as many domains as you want.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Name-based SSL virtual hosts

Posted by Tom Evans <te...@googlemail.com>.

On Mon, Jan 24, 2011 at 9:13 AM, Martin Kuba <ma...@ics.muni.cz> wrote:
> Hi Wolfgang,
>
> there is a chicken-and-egg problem with name-based virtual hosts
> and SSL. The SSL connection is established *before* HTTP communication,
> so the SSL server does not know what Host: HTTP header will be sent
> in the moment it decides which SSL server certificate to send.
>
> So for SSL HTTP servers, each server needs its own IP address,
> virtual named-based hosts are not possible.
>
> There is  a solution for this problem, it is a change in the SSL protocol
> which allows to send host name in the SSL handshake. However it is not
> supported by all web browsers.
>
> For details see
> http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix
>
> In a nutshell, if you want to support MSIE on Windows XP, you cannot use it.
>
> I solve this by using one IP address for all SSL servers with the same DNS
> domain owner,
> and a SSL server certificate that has all the server names as
> subjectAltNames.
> That works for all browsers, but it is some hassle to create a new
> certificate
> for all names each time a new SSL server is added.
>
> Cheers
>
> Martin
>

I do a similar thing, except I now always get wildcard certificates,
eg for *.foobar.com. Then, I can host all foobar.com subdomains from
one IP on SSL, no SNI support required neither in browser nor server.
Wildcard certs can be a little bit more expensive..

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Name-based SSL virtual hosts

Posted by Wo...@geigerus.com.

Hi Martin,

Thanks for the info. Guess I have some reading to do!

My Best!

Wolfgang

Wolfgang Miska
Executive Vice President

GEIGER of Austria, Inc.
38 Pond Lane
P.O. Box 728
Middlebury, VT 05753-0728

(802) 388-3156  (802) 388-9745 Fax

www.geigerofaustria.com



Martin Kuba <ma...@ics.muni.cz> 
01/24/2011 04:13 AM
Please respond to
users@httpd.apache.org


To
users@httpd.apache.org
cc

Subject
Re: [users@httpd] Name-based SSL virtual hosts






Hi Wolfgang,

there is a chicken-and-egg problem with name-based virtual hosts
and SSL. The SSL connection is established *before* HTTP communication,
so the SSL server does not know what Host: HTTP header will be sent
in the moment it decides which SSL server certificate to send.

So for SSL HTTP servers, each server needs its own IP address,
virtual named-based hosts are not possible.

There is  a solution for this problem, it is a change in the SSL protocol
which allows to send host name in the SSL handshake. However it is not
supported by all web browsers.

For details see
http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix

In a nutshell, if you want to support MSIE on Windows XP, you cannot use 
it.

I solve this by using one IP address for all SSL servers with the same DNS 
domain owner,
and a SSL server certificate that has all the server names as 
subjectAltNames.
That works for all browsers, but it is some hassle to create a new 
certificate
for all names each time a new SSL server is added.

Cheers

Martin

Dne 21.1.2011 22:18, Wolfgang.Miska@geigerus.com napsal(a):
> Hi,
>
> I am not too familiar with Apache, so the following message has stumped 
me.
>
> [warn] Init: Name-based SSL virtual hosts only work for clients with TLS 
server name indication support (RFC 4366)
>
> Can somebody explain what that means and what are the consequences?
>
> Thanks so much!
>
>
> Wolfgang


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------

Re: [users@httpd] Name-based SSL virtual hosts

Posted by Martin Kuba <ma...@ics.muni.cz>.

Hi Wolfgang,

there is a chicken-and-egg problem with name-based virtual hosts
and SSL. The SSL connection is established *before* HTTP communication,
so the SSL server does not know what Host: HTTP header will be sent
in the moment it decides which SSL server certificate to send.

So for SSL HTTP servers, each server needs its own IP address,
virtual named-based hosts are not possible.

There is  a solution for this problem, it is a change in the SSL protocol
which allows to send host name in the SSL handshake. However it is not
supported by all web browsers.

For details see
http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix

In a nutshell, if you want to support MSIE on Windows XP, you cannot use it.

I solve this by using one IP address for all SSL servers with the same DNS domain owner,
and a SSL server certificate that has all the server names as subjectAltNames.
That works for all browsers, but it is some hassle to create a new certificate
for all names each time a new SSL server is added.

Cheers

Martin

Dne 21.1.2011 22:18, Wolfgang.Miska@geigerus.com napsal(a):
> Hi,
>
> I am not too familiar with Apache, so the following message has stumped me.
>
> [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
>
> Can somebody explain what that means and what are the consequences?
>
> Thanks so much!
>
>
> Wolfgang


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------

[users@httpd] Name-based SSL virtual hosts

Posted by Wo...@geigerus.com.

Hi,

I am not too familiar with Apache, so the following message has stumped 
me.

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS 
server name indication support (RFC 4366)

Can somebody explain what that means and what are the consequences?

Thanks so much!


Wolfgang