On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote: > I'm trying to get mod_proxy to work as an SSL proxy using a client > certificate on the proxy to connect to a backend IIS server that's set up > to use any client certificate signed by my OpenSSL-based CA. > > If I use a browser with the same certificate bundled up as a PKCS12 > bundle, through the proxy, it all works, but what I really need is for > Apache/mod_ssl to use a locally stored version of the cert/key to connect, > then let the IIS server do its normal basic auth. That's one single > client cert/key for all externally connecting users (yes, I understand > the ramifaction- it's not for user authentication,) not a per-user proxy > cert.
There's no way to do this with mod_ssl without modifying the source. With httpd 2.2.x (and also I believe mod_ssl-2.8-for-1.3) what you can do is to pass through the client's SSL certificate (in PEM format) as a request header to the backend, then extract that on the backend server and then verify that against a CA cert independently; see http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header and the %{...}s stuff. That is the traditional approach used when passing through client certs to Tomcat etc, and doesn't require an SSL connection between proxy and backend. Doing this with an IIS backend might be a challenge. > Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to > bin/envvars. That affects handling of rfc3820 "proxy certificates" (which you not using unless you are doing some serious PKI voodoo ;). joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]