Author |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Thu 01 Jul '10 16:15 Post subject: allow only clients who have certificates to access... |
|
|
How can I allow only clients who have certificates to access a particular URL?
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
"How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?"
I get an error:
Code: | [Thu Jul 01 15:37:35 2010] [error] [client 127.0.0.1] user /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru: authentication failure for "/": Password Mismatch |
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Tue 06 Jul '10 17:49 Post subject: |
|
|
I did:
1) Create your own self-signed trusted certificate (ca.crt) and private key (ca.key). They will sign the server and client certificates
openssl req -new -newkey rsa:1024 -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=Certificate_Issuer/CN=bugzilla.ru/emailAddress=admin@reki.ru -config "openssl.cnf"
2) Preparing configuration ca.config
[ca]
default_ca = CA_CLIENT
[CA_CLIENT]
dir = ./db
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
certificate = ./ca.crt
private_key = ./ca.key
default_days = 365
default_crl_days = 7
default_md = md5
policy = policy_anything
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
3) Creating a private server key and request a server certificate
openssl req -new -newkey rsa:1024 -nodes -keyout server.key -out server.csr -subj /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru -config "openssl.cnf"
4) Signing the request to the server certificate using сa.crt and obtain a server certificate
openssl ca -config ca.config -in server.csr -out server.crt -batch
5) Creating a private key and client request a client certificate
openssl req -new -newkey rsa:1024 -nodes -keyout stellar.key -out stellar.csr -subj /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru -config "openssl.cnf"
6) Signing the request for a client certificate using sa.crt and get a client certificate
openssl ca -config ca.config -in stellar.csr -out stellar.crt –batch
Last edited by andre_nn on Tue 06 Jul '10 17:52; edited 1 time in total |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Tue 06 Jul '10 17:51 Post subject: |
|
|
Then editing \Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf
------------------
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex default
<VirtualHost 192.168.2.59:443>
DocumentRoot "c:/site/bugzilla/www"
ServerName 192.168.2.59:443
ErrorLog "c:/site/bugzilla/error.log"
TransferLog "c:/site/bugzilla/access.log"
CustomLog "c:/site/bugzilla/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory C:/Site/Bugzilla/www>
Options Indexes FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
ScriptInterpreterSource Registry-Strict
#==================================
SSLVerifyClient require
SSLOptions +FakeBasicAuth
AuthName "secret server"
AuthType Basic
AuthUserFile "C:/passwd"
Require valid-user
#==================================
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Site/SSL/server.crt"
SSLCertificateKeyFile "C:/Site/SSL/server.key"
SSLCertificateChainFile "C:/Site/SSL/ca.key"
#SSLCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt"
SSLCACertificateFile "C:/Site/SSL/ca.crt"
#SSLCARevocationPath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crl"
#SSLCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crl/ca-bundle.crl"
SSLVerifyClient require
SSLVerifyDepth 1
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
---------------------------------------- |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Tue 06 Jul '10 17:55 Post subject: |
|
|
File "C: / passwd" contains:
/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:xxj31ZMTZzkVA
/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:1 |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Tue 06 Jul '10 17:57 Post subject: |
|
|
In the authorization window me what data type? |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Tue 06 Jul '10 17:58 Post subject: |
|
|
I pass the certificate validation and get login screen, but authentication can not pass. In the logs I receive an error:
Code: | [Thu Jul 01 15:37:35 2010] [error] [client 127.0.0.1] user /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru: authentication failure for "/": Password Mismatch |
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 06 Jul '10 23:08 Post subject: |
|
|
Dude, you mixed the cert auth with basic auth.
as in the first link I posted there should be
Code: |
<VirtualHost 192.168.2.59:443>
SSLCACertificateFile "C:/Site/SSL/ca.crt"
...
<Location />
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
...
</VirtualHost>
|
if you realy want to use basic auth and not the certs, than you have to create a valid password file with md5 crypted passwords. For that see http://www.apachelounge.com/viewtopic.php?t=1877
But don't mix the password authentification with the cert based authentification. |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Wed 07 Jul '10 9:30 Post subject: |
|
|
James Blond wrote: | Dude, you mixed the cert auth with basic auth.
as in the first link I posted there should be
|
I want to bind the certificate to the user account. I create a client certificate to the user. The user sets the browser's client certificate. Picking up the server URL and passes certificate verification, and then receives the authorization window. In the authorization, he can only lead to your account. This decision is described on the official website:
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol
«How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?» |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Wed 07 Jul '10 9:39 Post subject: |
|
|
James Blond wrote: |
if you realy want to use basic auth and not the certs, than you have to create a valid password file with md5 crypted passwords. For that see http://www.apachelounge.com/viewtopic.php?t=1877
But don't mix the password authentification with the cert based authentification. |
I realized the certificate verification. In this decision, no problem. Everything works. Now we have to assign user accounts to their certificates as described in http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol
«How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?» |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Wed 07 Jul '10 9:46 Post subject: |
|
|
I do not want to have a solution - Authorization for client certificate authentication, or BASIC (passwd). I want to have a solution - linking client certificates to user accounts. All this is described on the official website (link in my first post), but I have some reason, this solution does not work: (
If you disable "SSLOptions FakeBasicAuth", then the authentication works. But this decision is not binding the client certificate to user account. If you disable "SSLOptions FakeBasicAuth" lost all washed away. |
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Wed 07 Jul '10 9:59 Post subject: |
|
|
Here, I have no question. Everything works!
"How can I authenticate only particular clients for a some URLs based on certificates but still allow arbitrary clients to access the remaining parts of the server?"
The first method:
This solution is described here http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol
There is no solution to my problem |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Wed 07 Jul '10 17:19 Post subject: |
|
|
ok... so your problem is now the password mismatch? Please try
Code: |
$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/
|
instead of
|
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Thu 08 Jul '10 15:33 Post subject: |
|
|
James Blond wrote: | ok... so your problem is now the password mismatch? Please try
Code: |
$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/
|
instead of
|
File "C: / passwd" contains:
Code: |
/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/
|
I pass the certificate validation and get login screen. Enter login and password:
login:/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru
password:password
In the logs I receive an error:
Code: | [Thu Jul 08 17:31:44 2010] [info] Initial (No.1) HTTPS request received for child 149 (server 127.0.0.1:443)
[Thu Jul 08 17:31:44 2010] [info] [client 127.0.0.1] Faking HTTP Basic Auth header: "Authorization: Basic L0M9UlUvU1Q9LS9MPU1vc2Nvdy9PPVJla2kucnUvT1U9U1ZOL0NOPWJ1Z3ppbGxhLnJ1L2VtYWlsQWRkcmVzcz1zdm5Ac3ZuLnJla2kucnU6cGFzc3dvcmQ="
[Thu Jul 08 17:31:44 2010] [error] [client 127.0.0.1] user /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru: authentication failure for "/": Password Mismatch
[Thu Jul 08 17:31:44 2010] [info] [client 127.0.0.1] Connection closed to child 149 with unclean shutdown (server 127.0.0.1:443)
|
|
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Thu 08 Jul '10 15:51 Post subject: |
|
|
Created password using the program http://web9.2020media.com/other/htpasswd.jsp
File "C: / passwd" contains:
Code: | /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:0sqzDS6URBCog |
I pass the certificate validation and get login screen. Enter login and password:
login:/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru
password:password
In the logs I receive an error:
Code: |
[Thu Jul 08 17:47:06 2010] [info] Initial (No.1) HTTPS request received for child 149 (server 127.0.0.1:443)
[Thu Jul 08 17:47:06 2010] [error] [client 127.0.0.1] Encountered FakeBasicAuth spoof: /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru
[Thu Jul 08 17:47:06 2010] [info] [client 127.0.0.1] Connection closed to child 149 with unclean shutdown (server 127.0.0.1:443)
|
|
|
Back to top |
|
andre_nn
Joined: 01 Jul 2010 Posts: 13
|
Posted: Thu 08 Jul '10 15:54 Post subject: |
|
|
It's a miracle! )))))))
The old error disappeared! )))))
A new error:
"Encountered FakeBasicAuth spoof"
Thank you!!!
We will solve the next problem? |
|
Back to top |
|