Someone asked me to explain how to set up your own instance of Apache using MSVA, so here goes:
0a) Make or co-opt a user to run MSVA on a fixed port. I was doing this with runit, but systemd turns out to be far nicer, so there's an example config[0] to use with a "wwwmsva" user. f.ex. sudo adduser wwwmsva sudo editor /etc/systemd/wwwmsva.service (copy, paste, tweak, and save) sudo systemctl enable wwwmsva sudo systemctl start wwwmsva 0b) As the aforementioned user, import the key or keys you wish to authorize as certifiers and give them "ultimate" trust. f.ex. sudo -u wwwmsva -H gpg --recv-keys FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582 sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582 trust 5 y quit 1a) Ensure that you have apache2 and libapache2-mod-gnutls installed, that they are sufficiently recent (libapache2-mod-gnutls 0.6-1), and that mod-gnutls is enabled. f.ex. sudo apt-get install apache2 libapache2-mod-gnutls sudo a2enmod gnutls 1b) Add the following line (or equivalent, if you are using a port other than 5000) to /etc/apache2/envvars: export MONKEYSPHERE_VALIDATION_AGENT_SOCKET=http://127.0.0.1:5000 1c) Add a virtual host with a config that uses "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require". Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require" for a <Directory> and not the entire vhost seems to lead to a lot of TLS rehandshaking and an utter failure to work, so you may want to stick to something like this[1] for now. 1d) Generate a self-signed X.509 certificate to be used by the vhost, and place it and its corresponding secret key in the places designated by the Apache config. 1e) Import this into the Monkeysphere so that your clients can authenticate the server. This is completely unnecessary to authenticate the client, so you can skip it if all you want to test is that. f.ex. sudo monkeysphere-host import-key /etc/apache2/certstuff/blah.key https://myfunwebserver.example.org sudo monkeysphere-host set-expire 1y sudo monkeysphere-host publish-keys (manually import, certify with a key that your xul-ext-monkeysphere setup will approve, and publish to the keyservers) 2) Follow the instructions at demo.monkeysphere.info[2] to unsafely get your secret key material into your web browser. 3) Ensure that Apache has been restarted/reloaded with the correct configuration. 4) Add a CGI[3] that will give you some insight into what's going on, possibly as /usr/lib/cgi-bin/showenv 5) Direct your web browser to the equivalent of https://myfunwebserver.example.org/cgi-bin/showenv 6) Observe the values of environment variables SSL_CLIENT_S_AN0, SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY Note that if you connect with any random client cert, you should get SSL_CLIENT_VERIFY=FAILED. Now here are some problems: a) You can't just GnuTLSClientVerify require the resources you might want to restrict b) There appears to be no way to authorize within Apache; mod_rewrite special-cases mod_ssl and even if mod_gnutls had ap_expr hooks I don't think it would do any good. If anyone knows how I might be misunderstanding Apache and there's something like a way to map SSL_CLIENT_S_AN0 values into REMOTE_USER or a way to use this with mod_authz_core, I'd be delighted to hear about it. I apologize if I've omitted any steps. [0] http://bugs.debian.org/742799 [1] <IfModule mod_gnutls.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined GnuTLSEnable On GnuTLSCertificateFile /etc/apache2/certstuff/blah.pem GnuTLSKeyFile /etc/apache2/certstuff/blah.key GnuTLSPriorities NORMAL:!VERS-SSL3.0 GnuTLSClientVerifyMethod msva GnuTLSClientVerify require </VirtualHost> </IfModule> [2] https://demo.monkeysphere.info/ [3] #!/bin/sh echo "Content-type: text/plain" echo env _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss