Client Authentication and Access Control
Hi. I have read the instructions at: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 and successfully set up a web server which runs HTTPS and requires client certificates for authentication. However, I am not 100% pleased with neither of the *two* methods. What I dislike is the *user-id* part of the information that is stored in the access log: Method 1 (mod_auth): The user-id field is a string converted from the *full* subject DN in the client certificate which in my case (with Verisign class 1 certificates) are typically 230 chars long! Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile is: mygroup: user-id1 user-id2 user-id3 i.e. using space as a separator. The user-id produced in method 1 above contains a lot of spaces. How can this work? Using quotes? Thanks. Oyvin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication and Access Control
On Fri, Jun 03, 2005 at 08:56:56AM +0200, yvin Smme wrote: Method 2 (SSLRequire): The user-id field is just '-'. Can I somehow configure apache/mod_ssl to only store certain elements of the DN (e.g. the CN in the DN) as the user-id in the access-log? mod_ssl in httpd 2.0 supports the SSLUsername directive which allows this: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusername Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: problem compiling on windows
I suggest you follow the procedure in the openssl source package (install.w32) instead of using the perl commands in the apache httpd documentation. This worked fine for me. HTH michael -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von b h Gesendet: Freitag, 3. Juni 2005 00:34 An: modssl-users@modssl.org Betreff: problem compiling on windows Hi to begin, platform winxp pro, visual studio 6 I downloaded and extracted httpd-2.0.54-win32-src.zip, openssl-0.9.7g.tar.gz from their respective websites. And I was following http://httpd.apache.org/docs-2.0/platform/win_compiling.html I placed awk.exe in the path, extracted all the openssl files into srclib/openssl, ran all the perl lines configuring, and nmaking in the srclib/openssl directory (and they seemed to work without any error)... but then when running nmake /f Makefile.win _apacher after a couple minutes I end up with fatal errors: see last few lines before the error following... - Creating library .\Release\mod_proxy.lib and object .\Release\mod_proxy.exp NMAKE -nologo -f mod_proxy_connect.mak CFG=mod_proxy_connect - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma00480. proxy_connect.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb00480. Creating library .\Release\mod_proxy_connect.lib and object .\Release\mod_proxy_connect.exp NMAKE -nologo -f mod_proxy_ftp.mak CFG=mod_proxy_ftp - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma03996. proxy_ftp.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb03996. Creating library .\Release\mod_proxy_ftp.lib and object .\Release\mod_proxy_ftp.exp NMAKE -nologo -f mod_proxy_http.mak CFG=mod_proxy_http - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma01708. proxy_http.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb01708. Creating library .\Release\mod_proxy_http.lib and object .\Release\mod_proxy_http.exp cd ..\.. cd modules\ssl NMAKE -nologo -f mod_ssl.mak CFG=mod_ssl - Win32 Release RECURSE=0 .\Release\mod_ssl.so NMAKE : fatal error U1073: don't know how to make '..\..\srclib\openssl\inc32\openssl\asn1.h' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. C:\Documents and Settings\brad\Desktop\httpd-2.0.54 everything was working perfectly and I thought I was following all the instructions properly. What did I forget to do or can anyone tell me what is wrong? I ask here because it seems to be in the mod_ssl portion at that time. Please let me know if there is a more appropriate place to ask. (And I know it's rude to ask, but please cc me in any responses) thanks b. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: problem compiling on windows
Hi, You might be running into the same thing I did a while back with the /win_compiling.html instructions. You might try the following variation: 1) The instructions for running the perl scripts to build openssl are a little unclear, so please note the following: a) First you untar the openssl so that the openssl source tree is in the srclib/openssl directory. b) You must cd into the the srclib/openssl directory, then execute the perl scripts as described. 2) On windows you can't execute the command exactly as printed in the win_compiling.html and as shown below: perl util\mk1mf.pl dll no-asm no-mdc2 no-rc5 no-idea VC-WIN32 makefile 3) Because windows does not distinguish makefile from Makefile this command will overwrite the Makefile that is previously configured and required for this step. You must direct the output to another filename, e.g. perl util\mk1mf.pl dll no-asm no-mdc2 no-rc5 no-idea VC-WIN32 makefile.rel then nmake /f makefile.rel for the release build. Regards, Bill Lange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 03, 2005 1:27 AM To: modssl-users@modssl.org Subject: Re: problem compiling on windows I suggest you follow the procedure in the openssl source package (install.w32) instead of using the perl commands in the apache httpd documentation. This worked fine for me. HTH michael -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von b h Gesendet: Freitag, 3. Juni 2005 00:34 An: modssl-users@modssl.org Betreff: problem compiling on windows Hi to begin, platform winxp pro, visual studio 6 I downloaded and extracted httpd-2.0.54-win32-src.zip, openssl-0.9.7g.tar.gz from their respective websites. And I was following http://httpd.apache.org/docs-2.0/platform/win_compiling.html I placed awk.exe in the path, extracted all the openssl files into srclib/openssl, ran all the perl lines configuring, and nmaking in the srclib/openssl directory (and they seemed to work without any error)... but then when running nmake /f Makefile.win _apacher after a couple minutes I end up with fatal errors: see last few lines before the error following... - Creating library .\Release\mod_proxy.lib and object .\Release\mod_proxy.exp NMAKE -nologo -f mod_proxy_connect.mak CFG=mod_proxy_connect - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma00480. proxy_connect.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb00480. Creating library .\Release\mod_proxy_connect.lib and object .\Release\mod_proxy_connect.exp NMAKE -nologo -f mod_proxy_ftp.mak CFG=mod_proxy_ftp - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma03996. proxy_ftp.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb03996. Creating library .\Release\mod_proxy_ftp.lib and object .\Release\mod_proxy_ftp.exp NMAKE -nologo -f mod_proxy_http.mak CFG=mod_proxy_http - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma01708. proxy_http.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb01708. Creating library .\Release\mod_proxy_http.lib and object .\Release\mod_proxy_http.exp cd ..\.. cd modules\ssl NMAKE -nologo -f mod_ssl.mak CFG=mod_ssl - Win32 Release RECURSE=0 .\Release\mod_ssl.so NMAKE : fatal error U1073: don't know how to make '..\..\srclib\openssl\inc32\openssl\asn1.h' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. C:\Documents and Settings\brad\Desktop\httpd-2.0.54 everything was working perfectly and I thought I was following all the instructions properly. What did I forget to do or can anyone tell me what is wrong? I ask here because it seems to be in the mod_ssl portion at that time. Please let me know if there is a more appropriate place to ask. (And I know it's rude to ask, but please cc me in any responses) thanks b. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager
RE: problem compiling on windows
Hi Bill that was the answer. Thanks! bob --- Lange, Bill Charles [EMAIL PROTECTED] wrote: Hi, You might be running into the same thing I did a while back with the /win_compiling.html instructions. You might try the following variation: 1) The instructions for running the perl scripts to build openssl are a little unclear, so please note the following: a) First you untar the openssl so that the openssl source tree is in the srclib/openssl directory. b) You must cd into the the srclib/openssl directory, then execute the perl scripts as described. 2) On windows you can't execute the command exactly as printed in the win_compiling.html and as shown below: perl util\mk1mf.pl dll no-asm no-mdc2 no-rc5 no-idea VC-WIN32 makefile 3) Because windows does not distinguish makefile from Makefile this command will overwrite the Makefile that is previously configured and required for this step. You must direct the output to another filename, e.g. perl util\mk1mf.pl dll no-asm no-mdc2 no-rc5 no-idea VC-WIN32 makefile.rel then nmake /f makefile.rel for the release build. Regards, Bill Lange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 03, 2005 1:27 AM To: modssl-users@modssl.org Subject: Re: problem compiling on windows I suggest you follow the procedure in the openssl source package (install.w32) instead of using the perl commands in the apache httpd documentation. This worked fine for me. HTH michael -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von b h Gesendet: Freitag, 3. Juni 2005 00:34 An: modssl-users@modssl.org Betreff: problem compiling on windows Hi to begin, platform winxp pro, visual studio 6 I downloaded and extracted httpd-2.0.54-win32-src.zip, openssl-0.9.7g.tar.gz from their respective websites. And I was following http://httpd.apache.org/docs-2.0/platform/win_compiling.html I placed awk.exe in the path, extracted all the openssl files into srclib/openssl, ran all the perl lines configuring, and nmaking in the srclib/openssl directory (and they seemed to work without any error)... but then when running nmake /f Makefile.win _apacher after a couple minutes I end up with fatal errors: see last few lines before the error following... - Creating library .\Release\mod_proxy.lib and object .\Release\mod_proxy.exp NMAKE -nologo -f mod_proxy_connect.mak CFG=mod_proxy_connect - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma00480. proxy_connect.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb00480. Creating library .\Release\mod_proxy_connect.lib and object .\Release\mod_proxy_connect.exp NMAKE -nologo -f mod_proxy_ftp.mak CFG=mod_proxy_ftp - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma03996. proxy_ftp.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb03996. Creating library .\Release\mod_proxy_ftp.lib and object .\Release\mod_proxy_ftp.exp NMAKE -nologo -f mod_proxy_http.mak CFG=mod_proxy_http - Win32 Release RECURSE=0 tempfile.bat cl.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nma01708. proxy_http.c link.exe @C:\DOCUME~1\brad\LOCALS~1\Temp\nmb01708. Creating library .\Release\mod_proxy_http.lib and object .\Release\mod_proxy_http.exp cd ..\.. cd modules\ssl NMAKE -nologo -f mod_ssl.mak CFG=mod_ssl - Win32 Release RECURSE=0 .\Release\mod_ssl.so NMAKE : fatal error U1073: don't know how to make '..\..\srclib\openssl\inc32\openssl\asn1.h' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE' : return code '0x2' Stop. C:\Documents and Settings\brad\Desktop\httpd-2.0.54 everything was working perfectly and I thought I was following all the instructions properly. What did I forget to do or can anyone tell me what is wrong? I ask here because it seems to be in the mod_ssl portion at that time. Please let me know if there is a more appropriate place to ask. (And I know it's rude to ask, but please cc me in any responses) thanks b. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]