Re: Client Authentication and Access Control
Øyvin Sømme wrote: Joe Orton wrote: On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote: Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe Thanks for a very good suggestion. Seems to be just what I need. So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN' inside the context. This resulted in *no* change in my log files, the user-id field was still '-'. Any idea why it didn't work? Regards Øyvin I found out the issue: I cannot use 'SSLOptions +FakeBasicAuth' together with 'SSLUserName xxx' (not documented anywhere). Regards. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication and Access Control
Joe Orton wrote: On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote: Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Thanks for a very good suggestion. Seems to be just what I need. So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN' inside the context. This resulted in *no* change in my log files, the user-id field was still '-'. Any idea why it didn't work? Regards Øyvin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client Authentication and Access Control
Hi. I have read the instructions at: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 and successfully set up a web server which runs HTTPS and requires client certificates for authentication. However, I am not 100% pleased with neither of the *two* methods. What I dislike is the *user-id* part of the information that is stored in the access log: Method 1 (mod_auth): The user-id field is a string converted from the *full* subject DN in the client certificate which in my case (with Verisign class 1 certificates) are typically 230 chars long! Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile is: mygroup: user-id1 user-id2 user-id3 i.e. using space as a separator. The user-id produced in method 1 above contains a lot of spaces. How can this work? Using quotes? Thanks. Oyvin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]