Hi Mark, I use SSLFakeBasicAuth in my httpd.conf. I assumed it was encrypted because I'm stating to use SSL but fake basic Auth. Maybe I am not understanding SSLFakeBasicAuth? Let me know what other people say, I would appericate that.
Thanks Ron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Barton Sent: Wednesday, November 27, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: What is a good way to determine this I have what I think is probably an easy question to answer, but I have done some searching and have not found anything obvious. The gist of the question is: I have mod_ssl running and have my entire site covered with it (there is nothing listening on port 80). I also have .htaccess files forcing people to log into the site. Is the username and password transaction from the .htaccess prompt encrypted, being as it is the first thing the user logging on is prompted to perform? My gut feeling is, of course. I have SSL options protecting the directory and the .htaccess file (i will include those at the end). But the reason why I am doubting myself is the logs show me something sketchy. I have a Custom log that shows the username and SSL environment variables of the user logging in: ... LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat CustomLog logs/ssl/mbsindassl.log sslformat ... But here is the log file entry that I am worried about: ... [27/Nov/2002:16:46:29 -0500] - --> - - - <-- GET /index.html HTTP/1.1 [27/Nov/2002:16:46:34 -0500] mbarton --> RC4-MD5 128 SSLv3 <-- GET /index.html HTTP/1.1 ... The log file shows first the request with no username (which makes sense because they haven't logged on yet) but the SSL environment variables are all NULL too. So is this just a problem with the way environment variables are reported to the log? Because it looks like there is not an SSL connection before the user logs in! I have verifed that SSL is up and running and working correctly for the site with s_client. The software I am using is: Windows 2000 Apache 1.3.27 Mod_SSL 2.8.12 OpenSSL 0.9.6g Here is the top-level .htaccess file ------------------------------------------------------------ AuthName "Dude, you had better be authorized" AuthType Basic AuthUserFile "C:/MBserver/Apache/bin/.htpasswd" SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 require user mbarton Here is the relevant SSL Portion of the httpd.conf file ---------------------------------------------------------------------------- ------- <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLMutex sem SSLSessionCache dbm:logs/ssl/scache SSLSessionCacheTimeout 400 SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl/engine.log SSLLogLevel warn <VirtualHost _default_:443> DocumentRoot "C:/MBserver/Apache/secure" ErrorLog logs/ssl/error.log LogLevel debug TransferLog logs/ssl/access.log LogLevel debug AccessFileName .htaccess LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p \t%s" docscommon LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer LogFormat "%t \t%u \t%{User-agent}i" docsagent LogFormat "%t \t%u \t%r" docssmall LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat CustomLog logs/ssl/mbsinda.log docscommon CustomLog logs/ssl/mbsindareferer.log docsreferer CustomLog logs/ssl/mbsindaagent.log docsagent CustomLog logs/ssl/mbsindasmall.log docssmall CustomLog logs/ssl/mbsindassl.log sslformat ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/" <Directory "C:/MBserver/Apache/secure"> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 SSLOptions +StdEnvVars +ExportCertData </Directory> SSLProtocol -all +SSLv3 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2 SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt" SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key" SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt" SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA" SSLOptions +CompatEnvVars +StdEnvVars SSLEngine on </VirtualHost> </IfDefine> I appreciate you guys taking a look at this, Thanks, Mark Barton ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
