Re: Client Authentication and Access Control
Øyvin Sømme wrote: Joe Orton wrote: On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote: Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe Thanks for a very good suggestion. Seems to be just what I need. So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN' inside the context. This resulted in *no* change in my log files, the user-id field was still '-'. Any idea why it didn't work? Regards Øyvin I found out the issue: I cannot use 'SSLOptions +FakeBasicAuth' together with 'SSLUserName xxx' (not documented anywhere). Regards. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication and Access Control
Joe Orton wrote: On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote: Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Thanks for a very good suggestion. Seems to be just what I need. So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN' inside the context. This resulted in *no* change in my log files, the user-id field was still '-'. Any idea why it didn't work? Regards Øyvin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication and Access Control
On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote: > Method 2 (SSLRequire): > > The user-id field is just '-'. > > Can I somehow configure apache/mod_ssl to only store certain elements of > the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client Authentication and Access Control
Hi. I have read the instructions at: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 and successfully set up a web server which runs HTTPS and requires client certificates for authentication. However, I am not 100% pleased with neither of the *two* methods. What I dislike is the *user-id* part of the information that is stored in the access log: Method 1 (mod_auth): The user-id field is a string converted from the *full* subject DN in the client certificate which in my case (with Verisign class 1 certificates) are typically 230 chars long! Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile is: mygroup: user-id1 user-id2 user-id3 i.e. using space as a separator. The user-id produced in method 1 above contains a lot of spaces. How can this work? Using quotes? Thanks. Oyvin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Problems with Client authentication and access control
Hello.
I have successfuly done Client Authentication using client certificates with
apache-openssl-modssl.
SSLVerifyClient none
SSLVerifyClient require
SSLVerifyDepth 5
#SSLCACertificateFile conf/ssl.crt/ca.crt
#SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
%{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
The definition of SSLCACertificateFile and SSLCACertificatePath are above in
the httpd.conf file.
When i try to connect to https:/www.xxx.xx/secure the server asks for the
certificate, validates it and show index.html in the secure directory.
Everything seem to work fine.
But when i do a http://www.xxx.xx/secure I can still see the index.html.
According to my understanding the index.html in the secure directory should not
be shown. Can anyone help me with this? Is there anything more i should do to
prevent access from http on the secure directory?
Thanx
Haldor Husby.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Client Authentication and Access Control
I've read the mod_ssl documentation about Client Authentication and Access Control part. I've found this part very interesting and I'd like to test it. Could you explain me the OpenSSL commands to create client certificates signed by my CA certificate? I've already created my CA certificate, using the command $ openssl genrsa -des3 -out ca.key 1024 Is this correct also to sign client certificates? Can I use the command sign.sh to sign them? Thanks in advance Ciao Fabrizio __ Get Your Private, Free Email at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
