Workaround for bug with FakeBasicAuth

[Jason Haar]

I've been trying to get Client cert authentication to work with mod_ssl
2.8.4-8 and have everything working bar directory listings. Apparently this
is a bug that goes back over a year now?

Anyway, I think I have a workaround.

Instead of using FakeBasicAuth, I instead use SSLRequire, and change
CustomLog to "fake" the auth entry:

i.e.

LogFormat "%h %l %u %t \"%r\" ." standard
LogFormat "%h %l SSL:%{SSL_CLIENT_S_DN_EMAIL}e %t \"%r\" ..." ssl-standard

CustomLog /log/access_log standard
#Override the CustomLog setting for valid SSL Client Certs
CustomLog /log/access_log ssl-standard env=SSL_CLIENT_S_DN_EMAIL


 SSLRequireSSL
 SSLVerifyClient require
 SSLVerifyDepth  1
 SSLOptions +StrictRequire +ExportCertData +CompatEnvVars +StdEnvVars
 SSLBanCipher NULL-MD5 NULL-SHA
 SSLRequire   %{SSL_CLIENT_S_DN_OU}  in {"our dep"}
 Options none Indexes FollowSymlinks SymLinksIfOwnerMatch
 AllowOverride None
 order allow,deny
 allow from all


The only concern I have is that I had to set +StdEnvVars in order to get
SSL_CLIENT_S_DN_EMAIL into the environment. Can I access that some other
way, or is the extra load of adding the env vars not bad enough to be
concerned about?

Also, if anyone thinks that's not going to operate the way I think it should
(i.e. only allow OU="our dep" access) please let me know :-)

Thanks

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

External certificate validation

[François Désarménien]

Hello, everybody.

I've been searching the web and read the Documentations, FAQS,
HOWTOs READMEs for a while with no luck, that's why I'm posting
here.

I need to be able not to store root CA certificates and CRLs
on the web server, but to rather use a dedicated OCSP server
of some sort to validate clients certificates.

Is there a way (or hook) I could use to achieve this ?

Thank you for your time,

François 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

windows and apache 2.0.36

[gilad . buzi]

does anyone know if there is a compiled version of mod_ssl for windows
(mod_ssl.so) anywhere?
one of my customers (believe me, i wouldn't do it) wants to install https
with apache 2.x under windows.

thanks,

 Gilad Buzi 
 R&D Engineer · CONCATEL


 [EMAIL PROTECTED]
 c/Sardenya, 229-237 Atic. 2a · 
 08013 Barcelona Spain  
 tel. +34.93.244.88.77 · fax
 +34.93.244.88.78   

  www.concatel.com  



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: OT: Encryption and Credit Card Processing (fwd)

[Geoff Thorpe]

Hi there,

On Wed, 29 May 2002, R. DuFresne wrote:

> Can others with more incite to verisign certs verify this information for
> me?  thanks in advance:

Dunno about the insightful, but I'll try instead ...

> In response to your question (see below) about surrogate/gated
> functionality built into the major browsers since Netscape and IE version
> 3, the answer is simple.  To address the global needs of the US financial
> community, the US Government agreed to this functionality for both domestic
> and exportable versions of the browser.  The Federal Government agreed to
> this provided the server that triggers the higher strength processing is
> operating in the US or Canada and a domestic commercial certificate
> authority (CA) with the capability of issuing such certificates is
> utilized. To my knowledge, only VeriSign can provide such certificates.  I
> have been involved with the installation of global certificates on
> Netscape, iPlanet, and IIS web servers since at least the first quarter of
> the Year 2000.  Initially, WebLogic servers could not handle global
> certificates even though BEA claimed its software did.  Once BEA completed
> its legal agreement with VeriSign, the issue was supposedly
> resolved.  While I expect that this is true, I have never validated it for
> myself.  I don't recall that an Apache web server could handle the Global
> certificates.  To function properly, the supplier of the web server must
> obtain special (export controlled) code from the issuing CA.

Apache-based servers can handle this - it requires a sufficient version of
OpenSSL, it has very little to do with apache nor even the ssl module (it
should make no difference between apache-ssl and mod_ssl, for example).
IIRC, configuration is a problem - because these SGC (Server Gated Crypto)
usually consist of a cert chain with an intermediate CA cert that is
unknown to browsers (it is in turn signed by a CA cert that *is* known to
browsers). So, you need to ensure the intermediate cert is also in the
server cert file (or was it the CA list? I forget ...)

One of the problems was that these certificates were being issued with one
or both of a "netscape" cert extension and a "microsoft" cert extension.
If your signed cert didn't contain the microsoft one, then you'd be fine
no matter which version of openssl you were running - in short, without
the microsoft extension present in the cert, even IE browsers would obey
the SSL protocol. With the microsoft extension present however, IE would
enter some deranged brain-state in which it thought it could simply make
up it's own new twist on the SSL protocol. This confused various servers
except IIS until everyone figured out what was going on with Microsoft's
creative side and developed workarounds for it - hence the point about
having a "sufficient" version of OpenSSL. All recent releases of OpenSSL
are OK and can cope with these brain-damaged SSL renegotiate hacks from
IE.

Whether you get a microsoft extension in your SGC cert or not probably
depends on the competency, care, and mood of Verisign - and as with all
things involving either microsoft and/or verisign, you probably need an
agreeable alignment of the planets too. IIRC, people running apache based
servers were being issued with SGC certs some of which contained the
microsoft extension and some of which didn't. Also, the intermediate
signing certificate varied quite frequently, so it wasn't possible to
hard-code a fixed set of intermediate certs as "trusted" - it was usually
necessary to treat the intermediate cert as part of the server-cert-chain.

But this is all rather moot, see below ...

> Note: I'm note exposing any secrets here.  You should be able to obtain
> this information freely from the VeriSign, Netscape, and Microsoft public
> web sites.  You just may have to dig for it awhile.

SGC certs are no longer required. It was only ever an issue for
export-crippled browsers anyway and those simply don't (or shouldn't)
exist any more. SGC also cost heaps more. Get a "normal" cert.

Cheers,
Geoff

-- 
Geoff Thorpe, geoff(at)geoffthorpe(dot)net

2000 years on, it's a different empire but the same
zealots and the same attrocities.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]