On Fri, Dec 11, 1998, Bruce B. Platt wrote:
> I have a port 80, non-SSL site created for my family which has user
> authentication configured as follows in access.conf:
>
> AuthName "Restricted Access"
> AuthType Basic
> AuthUserFile /usr/local/apache/etc/athorized-users
> require valid-user
>
> I have just installed installed Apache mith mod-ssl which I find a great
> improvement over Apache-SSL in terms of ease of use.
>
> My question is this.
>
> I set up a virtual server on port 443 for the above referenced site, using
> the same lines from access.conf on both the port 80 and the port 443 servers.
>
> It appears as if the user-authentication dialog takes place using export
> grade RC4 and MD5 encryption even though the browser doesn't show a "lock
> or key" secure symbol while the user-name and password authentication box
> ispresented on the screen. I suspect this from examining the following
> lines from the ssl_request_log:
>
> [11/Dec/1998:17:15:00 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET /
> HTTP/1.0" 474
> [11/Dec/1998:17:15:24 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET /
> HTTP/1.0" 2308
> [11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET
> /_derived/index.html_cmp_global100_bnr.gif HTTP/1.0" 3593
> [11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET
> /_themes/global/glotextb.gif HTTP/1.0" 181
>
> The first line from the log (above) is written to the log as the user-name
> and password dialogue box is presented to the browser. The remaining lines
> appear in the log after the user has entered their user-name and password,
> and the index page is retreived from the server. The "secure" synbol
> appears in the browser window at this point.
>
> Am I correct in assuming that the username and password which the user
> enters are encrypted in transmission?
Yes. The lock icon in Netscape isn't really synchronized with the SSL layer.
Actually the icon is displayed _after_ the complete webpage was loaded. But
the encryption was enabled long time before, of course. In your case, the
Basic Auth is a facility on the HTTP layer. Under HTTPS below the HTTP layer
there is the SSL/TLS layer. And before the HTTP layer does any data
communication the SSL/TLS layer has already done the handshake and switched to
encryption.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
