Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Trouble authenticating IE users with client certificates |
|
| Author |
|
iamjimjones
Joined: 14 Mar 2013
Posts: 2
Location: USA, MO, St Louis
|
 Posted: Fri 15 Mar '13 4:30 Post subject: Trouble authenticating IE users with client certificates |
 |
|
Hi all,
I am having a problem getting Apache to allow access to IE 6/7/8/9 users
with client certificates installed to access restricted resources. I have
several servers (Windows and Linux) running various versions of Apache from
2.0 through 2.4, all behave the same way. I am simply unable to get client
certificates to authenticate IE users. Please do let me know if anymore
information is needed, including how I built the CAchain, CRLs, etc.
Note that using the same client certs from Firefox works just fine,
users can successfully authenticate to the resource and get content.
Thank you!
Jim
##### ssl.conf
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/pki/tls/certs/wildcard.crt
SSLCertificateKeyFile /etc/pki/tls/private/21wildcard.key
SSLCertificateChainFile /etc/httpd/conf/ssl/cachain.pem
SSLCACertificateFile /etc/httpd/conf/ssl/rootca.cer
SSLCADNRequestFile /etc/httpd/conf/ssl/cachain.pem
SSLCARevocationFile /etc/httpd/conf/ssl/cachain.crl
SSLVerifyClient none
SSLInsecureRenegotiation on
CustomLog "/etc/httpd/logs/extended_ssl_request.log" "%t %h %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_I_DN_CN}x %{SSL_CLIENT_S_DN}x \"%r\" %b"
<Location /foo/>
SSLVerifyClient optional
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* /var/www/error/HTTP_UNAUTHORIZED.html [L]
SSLVerifyDepth 10
SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
#SSLRequire ( %{SSL_CLIENT_S_DN_CN} eq "Biggs, \Mike" \
# or %{SSL_CLIENT_S_DN_emailAddress} eq "mike.biggs@nypd.org" ) \
# and %{SSL_CLIENT_I_DN_CN} in {"nypd\-ca\-1", "nypd\-ca\-2", "nypd\-ca\-3"}
</Location>
#### extended_ssl_request.log
[13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET / HTTP/1.0" 768
[13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET /icons/blank.gif HTTP/1.0" 148
[13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET /icons/unknown.gif HTTP/1.0" 245
[13/Mar/2013:12:03:21 -0400] x.x.x.x NONE - - "GET /foo/bar HTTP/1.0" -
Admin note:
The very very very huge (debug) logs removed, see forum rules. Use paste bin. |
|
| Back to top |
|
iamjimjones
Joined: 14 Mar 2013
Posts: 2
Location: USA, MO, St Louis
|
| Posted: Wed 20 Mar '13 20:28 Post subject: Still no luck... |
|
|
No hits on this thread yes, so I am replying to myself with more information...
I am creating the cachain.pem with
type wildcart.crt > cachain.pem
type intmdtca.cer >> cachain.pem
type rootca.cer >> cachain.pem
I have also tried it as
type wildcart.crt > cachain.pem
type cabundle.pem >> cachain.pem
I am creating the cachain.crl with the below script:
@echo off
set openssl_conf=D:\Apache2.4\conf\openssl.cnf
set path=%path%;D:\Apache2.4\bin
set chaincrl=D:\Apache2.4\conf\ssl\cachain.crl
set CRLpath=D:\Apache2.4\conf\ssl\CRLs
set CRLders=D:\Apache2.4\conf\ssl\DER_CRLs
for /f %%i in ('dir /b %CRLpath%') do @del %CRLpath%\%%i
for /f "tokens=1,2" %%i in (crls.txt) do @wget %%j/%%i --no-check-certificate -O "%CRLders%\%%i"
for /f %%i in ('dir /b %CRLders%') do @openssl crl -inform DER -in %CRLders%/%%i -outform PEM -out %CRLpath%\%%i
del %chaincrl%
for /f "tokens=1,2" %%i in (crls.txt) do @type "%CRLpath%\%%i" >> %chaincrl%
copy %chaincrl% D:\Apache2.4\htdocs\
The contents of the crls.txt file is:
ca-1(1).crl http://ca-1/CertEnroll/
CA-2-CA.crl http://ca-2/CertEnroll/
CA-3(1).crl http://ca-3/CertEnroll/ |
|
| Back to top |
|
|
|
|
|
|
