What is a good way to determine this

[Mark Barton]

I have what I think is probably an easy question to answer, but I have done some searching and have not found anything obvious. The gist of the question is:

I have mod_ssl running and have my entire site covered with it (there is nothing listening on port 80). I also have .htaccess files forcing people to log into the site. Is the username and password transaction from the .htaccess prompt encrypted, being as it is the first thing the user logging on is prompted to perform?

My gut feeling is, of course. I have SSL options protecting the directory and the .htaccess file (i will include those at the end). But the reason why I am doubting myself is the logs show me something sketchy. I have a Custom log that shows the username and SSL environment variables of the user logging in:

...
LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat
CustomLog logs/ssl/mbsindassl.log sslformat
...

But here is the log file entry that I am worried about:
...
[27/Nov/2002:16:46:29 -0500] - --> - - - <-- GET /index.html HTTP/1.1
[27/Nov/2002:16:46:34 -0500] mbarton --> RC4-MD5 128 SSLv3 <-- GET /index.html HTTP/1.1
...

The log file shows first the request with no username (which makes sense because they haven't logged on yet) but the SSL environment variables are all NULL too. So is this just a problem with the way environment variables are reported to the log? Because it looks like there is not an SSL connection before the user logs in!

I have verifed that SSL is up and running and working correctly for the site with s_client.

The software I am using is:
Windows 2000
Apache 1.3.27
Mod_SSL 2.8.12
OpenSSL 0.9.6g


Here is the top-level .htaccess file
------------------------------------------------------------
AuthName "Dude, you had better be authorized"
AuthType Basic
AuthUserFile "C:/MBserver/Apache/bin/.htpasswd"

SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

require user mbarton


Here is the relevant SSL Portion of the httpd.conf file
-----------------------------------------------------------------------------------


<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLMutex sem
SSLSessionCache dbm:logs/ssl/scache
SSLSessionCacheTimeout 400
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl/engine.log
SSLLogLevel warn

<VirtualHost _default_:443>

DocumentRoot "C:/MBserver/Apache/secure"
ErrorLog logs/ssl/error.log
LogLevel debug
TransferLog logs/ssl/access.log
LogLevel debug
AccessFileName .htaccess

LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p \t%s" docscommon
LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer
LogFormat "%t \t%u \t%{User-agent}i" docsagent
LogFormat "%t \t%u \t%r" docssmall
LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat

CustomLog logs/ssl/mbsinda.log docscommon
CustomLog logs/ssl/mbsindareferer.log docsreferer
CustomLog logs/ssl/mbsindaagent.log docsagent
CustomLog logs/ssl/mbsindasmall.log docssmall
CustomLog logs/ssl/mbsindassl.log sslformat

ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/"

<Directory "C:/MBserver/Apache/secure">
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLOptions +StdEnvVars +ExportCertData
</Directory>

SSLProtocol -all +SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2

SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt"
SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key"
SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt"
SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA"
SSLOptions +CompatEnvVars +StdEnvVars
SSLEngine on

</VirtualHost>

</IfDefine>

I appreciate you guys taking a look at this,

Thanks,
Mark Barton

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]