Re: SSL reverse proxy + Client Cert auth
Hi Danny, I guess I understood your doubt. If not, please ignore this. There should be 'ca-bundle.crt' file in which you can put the third party's certificate and you could make a try. Rgds, Anbu --- Danny Kruitbosch [EMAIL PROTECTED] wrote: Hi, We want to build the following situation: - Apache with mod_ssl as a reverse SSL proxy (Client --- SSL/HTTPS --- Rev. proxy --- HTTP --- Web/App server) - We need to check for client certificates. These certs are handed out by another party (not a real TTP). We need to check the signature on the client certs and the validity of the client certs. What's the best way to do this. I've read the mod_ssl manual, but I don't understand how I can check client certs from another (third) party. How do I setup Apache as an SSL reverse proxy? Any help on this would be great! Cheers, Danny Kruitbosch __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL reverse proxy + Client Cert auth
On Sun, Aug 18, 2002 at 11:40:13PM -0700, Anbuchezhian Chelliah wrote: Hi Danny, I guess I understood your doubt. If not, please ignore this. There should be 'ca-bundle.crt' file in which you can put the third party's certificate and you could make a try. Whoa! If you are running your own CA and only want your https server to accept certs signed by that CA, then YOU MUST NOT USE THE ca-bundle.crt FILE!!! Replace it with your own cacert instead. Otherwise you are actually telling your https server that *any* cert signed by *any* CA is valid - which may not be what you want... This is especially pertinent given the huge SSL hole found in IE/Konqueror recently... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL reverse proxy + Client Cert auth
I'm not sure about checking another authority, but suspect the configs would be in conf/ssl.conf. For doing the reverse proxying, I edited proxy.conf and included it inside ssl.conf. Inside proxy.conf, statements like: ProxyPass /cgi/ http://10.0.10.1/cgi/ ProxyPassReverse /cgi/ http://10.0.10.1/cgi/ are what accomplishes the reverse proxying. In our case, https: comes into the proxy and we talk (behind the DMZ) http to the web servers. Danny Kruitbosch wrote: Hi, We want to build the following situation: - Apache with mod_ssl as a reverse SSL proxy (Client --- SSL/HTTPS --- Rev. proxy --- HTTP --- Web/App server) - We need to check for client certificates. These certs are handed out by another party (not a real TTP). We need to check the signature on the client certs and the validity of the client certs. What's the best way to do this. I've read the mod_ssl manual, but I don't understand how I can check client certs from another (third) party. How do I setup Apache as an SSL reverse proxy? Any help on this would be great! Cheers, Danny Kruitbosch __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- .tom -- .tom http://isectd.sourceforge.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]