Re: Client Authentication and Access Control

2005-06-14 Thread yvin Smme

Joe Orton wrote:

On Fri, Jun 03, 2005 at 08:56:56AM +0200, yvin Smme wrote:


Method 2 (SSLRequire):

 The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?



mod_ssl in httpd 2.0 supports the SSLUsername directive which allows
this:

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Thanks for a very good suggestion. Seems to be just what I need.
So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
inside the IfDefine SSL /IfDefine context. This resulted in *no*
change in my log files, the user-id field was still '-'.

Any idea why it didn't work?


Regards
yvin
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: Client Authentication and Access Control

2005-06-14 Thread yvin Smme

yvin Smme wrote:

Joe Orton wrote:


On Fri, Jun 03, 2005 at 08:56:56AM +0200, yvin Smme wrote:


Method 2 (SSLRequire):

 The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?




mod_ssl in httpd 2.0 supports the SSLUsername directive which allows
this:

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername

Regards,

joe



Thanks for a very good suggestion. Seems to be just what I need.
So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
inside the IfDefine SSL /IfDefine context. This resulted in *no*
change in my log files, the user-id field was still '-'.

Any idea why it didn't work?


Regards
yvin



I found out the issue: I cannot use 'SSLOptions +FakeBasicAuth' together with 
'SSLUserName xxx'
(not documented anywhere).

Regards.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Client Authentication and Access Control

2005-06-03 Thread Øyvin Sømme


Hi.

I have read the instructions at:

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

and successfully set up a web server which runs HTTPS and requires
client certificates for authentication.

However, I am not 100% pleased with neither of the *two* methods. What I
dislike is the *user-id* part of the information that is stored in the
access log:

Method 1 (mod_auth):

   The user-id field is a string converted from the *full* subject DN in the
   client certificate which in my case (with Verisign class 1 certificates)
   are typically 230 chars long!

Method 2 (SSLRequire):

  The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?


One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile
is:

mygroup: user-id1 user-id2 user-id3

i.e. using space as a separator. The user-id produced in method 1 above
contains a lot of spaces. How can this work? Using quotes?

Thanks.

Oyvin
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: Client Authentication and Access Control

2005-06-03 Thread Joe Orton
On Fri, Jun 03, 2005 at 08:56:56AM +0200, yvin Smme wrote:
 Method 2 (SSLRequire):
 
   The user-id field is just '-'.
 
 Can I somehow configure apache/mod_ssl to only store certain elements of
 the DN (e.g. the CN in the DN) as the user-id in the access-log?

mod_ssl in httpd 2.0 supports the SSLUsername directive which allows
this:

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Problems with Client authentication and access control

2002-04-03 Thread haldor

Hello.

I have successfuly done Client Authentication using client certificates with 
apache-openssl-modssl. 

SSLVerifyClient  none
Directory /usr/local/apache/htdocs/secure/area
SSLVerifyClient  require
SSLVerifyDepth   5
#SSLCACertificateFile conf/ssl.crt/ca.crt
#SSLCACertificatePath conf/ssl.crt
SSLOptions   +FakeBasicAuth
SSLRequireSSL
SSLRequire   %{SSL_CLIENT_S_DN_O}  eq Snake Oil, Ltd. and \
 %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
/Directory

The definition of SSLCACertificateFile and SSLCACertificatePath are above in 
the httpd.conf file. 
When i try to connect to https:/www.xxx.xx/secure the server asks for the 
certificate, validates it and show index.html in the secure directory. 
Everything seem to work fine.

But when i do a http://www.xxx.xx/secure I can still see the index.html. 
According to my understanding the index.html in the secure directory should not 
be shown. Can anyone help me with this? Is there anything more i should do to 
prevent access from http on the secure directory?

Thanx 
Haldor Husby.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Client Authentication and Access Control

1999-05-31 Thread Fabrizio Pivari

I've read the mod_ssl documentation about
Client Authentication and Access Control part.
I've found this part very interesting and I'd like to test it.
Could you explain me the OpenSSL commands to create client
certificates signed by my CA certificate?

I've already created my CA certificate, using the command
$ openssl genrsa -des3 -out ca.key 1024
Is this correct also to sign client certificates?

Can I use the command sign.sh to sign them?

Thanks in advance

Ciao

Fabrizio


__
Get Your Private, Free Email at http://www.hotmail.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]