Hello.
I am using apache (first apache_ssl and now mod_ssl) for a while and am
rather satisfied with the result: I can restrict access to certain pages
either by password (which is only transfered encrypted) or by client
certificate.
Since I only have a very small user group to deal with for internal
purposes, I am my own CA.
I am also running sslwrap for imap and pop services, so that at least the
passwords are not transfered in clear and it seems that sniffers like
mscan don't care about the SSL-protected services.
Now to the problem: I want to further restrict access to those services
by using client certificates to check the right to access those services.
It is by now not my intention to replace the usual password check, it
should just be: _before_ you can even open the imap (or pop) behind sslwrap,
you have to show the certificate. I also would like to use this idea
to take care of the roaming users problem with smtp.
The software to be used for the clients is mainly netscape, one user has
MS open express(?).
My experiences by now are as follows: When activating "-Verify" with
sslwrap, netscape 4.08 receives the request for a certificate, but complains
"No User Certificate". I definitely have one, which I can use to access
my www-site with apache/mod_ssl. I would think the problem is rather small,
but I couldn't find any explanation.
Netscape 4.5 is not better in this point, but it additionally offers
SSL/TLS for smtp. It doesn't work with sslwrap however. I don't know
what's going on there, but it seems netscape is using a different protocol
for SSL/TLS, maybe already using some extensions described in the ietf
drafts. (So I don't use 4.5 until now because at least on HP-UX I am already
lucky when it can finish reading the list of my imap folders before
crashing :-((()
Any proposals on what to do? Where can I find appropriate information?
Unfortunately netscape is not distributed with source, so I cannot cross
check there.I digged around in the source code of openssl-0.9.1c and
sslwrap-2.0.2 (as well as edssl), but didn't find a clue on what to do.
I could establish client certificate verification with s_client of openssl.
Best regards,
Lutz
PS. If you want to verify my results: I call sslwrap from inetd, with the
unfriendly side effect, that stderr is connected to stdout which is connected
to the net. As some informations are printed to stderr(=bio_err) even in
non-verbose mode, the connection first failed. Hence I had to comment out
some of the BIO_printf...
PPS. No, the solution is not really for myself. I have linux at home and on
my laptop I am using for travelling, so I have ssh available, offering me
both: tunnels for all connections I need and slogin to "mutt" :-)
But a lot of my users are running windows and dial in via some large internet
providers, so tcpwrappers are set to "very restrictive" and don't allow
them to enter and sendmail won't relay their mail.
PPPS. Puh, that was a long mail.
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
