RE: Mac users bypass SSL

[Goehring, Chuck, RCI - San Diego]

Ken,

 

Yeah, it's funny how stuff moves and dramatic changes are made from version to version.  And hundreds of options for what? 

 

I initially tried to do it without a virtual host but couldn't get it to work. I still get errors at startup even though things are working.

 

Hang in there.

 

Chuck

-----Original Message-----
From: kloomis [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 25, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: Mac users bypass SSL

At 08:12 AM 9/25/2004 -0700, you wrote:

See SSLRequireSSL Directive at http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslrequiressl
Description: Deny access when SSL is not used for the HTTP request

Thank you! 

Now, this is really dumb.  I went to look at my httpd.conf and I see that SSL is not included in the conf as it was in apache 1.3!  So while I had an SSL virtual host in 1.3 I don't have it in 2.0.  Now I'm really confused.

Ken

This was not in my earlier reply, so I may have a misconfiguration myself.  The combination of the "Listen 443" without a "Listen 80" and "<VirtualHost myhost.yourcompany.com:443>" and the SSLRequireSSL Directive  will force the use of ssl.  Additional directives are needed to make it work as described at
 
 
mod_ssl User Manual
http://www.modssl.org/docs/2.8/

Hot To in User Manual
http://www.modssl.org/docs/2.8/ssl_howto.html
Unfortunately, much of the documentation covers everything but the simpler case of just making a server require ssl.
 
Best I can find in the docs is (http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html):

httpd.conf

SSLCACertificateFile conf/ssl.crt/company-ca.crt

<Directory /usr/local/apache2/htdocs>
#   Outside the subarea only Intranet access is granted
Order                deny,allow
Deny                 from all
Allow                from 192.168.1.0/24
</Directory>

<Directory /usr/local/apache2/htdocs/subarea>
#   Inside the subarea any Intranet access is allowed
#   but from the Internet only HTTPS + Strong-Cipher + Password
#   or the alternative HTTPS + Strong-Cipher + Client-Certificate

#   If HTTPS is used, make sure a strong cipher is used.
#   Additionally allow client certs as alternative to basic auth.
SSLVerifyClient      optional
SSLVerifyDepth       1
SSLOptions           +FakeBasicAuth +StrictRequire
SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128

#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond          %{HTTPS} !=on
RewriteRule          .* - [F]

#   Allow Network Access and/or Basic Auth
Satisfy              any

#   Network Access Control
Order                deny,allow
Deny                 from all
Allow                192.168.1.0/24

#   HTTP Basic Authentication
AuthType             basic
AuthName             "Protected Intranet Area"
AuthUserFile         conf/protected.passwd
Require              valid-user
</Directory>

Change "/usr/local/apache2/htdocs/subarea" to the directory you want protected and eliminate the <Directory /usr/local/apache2/htdocs section
 
 
Hope this helps you out.  There is a lot to it.
 
Chuck
 
 
 

-----Original Message-----

From: kloomis [mailto:[EMAIL PROTECTED]]

Sent: Friday, September 24, 2004 6:44 PM

To: [EMAIL PROTECTED]

Subject: Re: Mac users bypass SSL

At 03:54 PM 9/24/2004 -0700, you wrote:

kloomis wrote:

At 11:31 PM 9/23/2004 -0700, you wrote:

kloomis wrote:

Hello:

I am using SSL with Apache 2.0 to run a "secure" website.  The problem I have is that Mac users using Internet Explorer open the site without encryption.  They access it via an https:\\ address but they don't get asked to accept a security certificate and the site opens for them.  PC users are required to accept the certificate before they get access.

How can I fix this.

        It's not clear to me why you think this is a problem. If there is some reason they should be required to accept the security certificate, and they aren't being required to, then it's a problem.

Thanks for your reply.

Yes, they should not be able to access the data without encrypted transmission.  Is there a way for me to require it?

        We're talking past each other here. I am talking about whether or not they have to accept a security certificate. You are talking about whether or not they must use SSL.

        Are you saying that people are able to supply an 'https' URL and connect without using SSL?! That would be a problem.

Yes.  That is what is happening.

But this has nothing to do with whether you do or don't have to accept a certificate.  Normally you only have to manually accept a certificate if the certificate is deficient in some way.

It's a self signed cert, that's why they have to accept it.  I want to restrict users only to access the site via SSL.  Do you know how to make that happen?

Ken