Hello,
I would like to use SSLVerifiyClient in order to do 2-ways authentication. Here is my situation: Client < ------- > HAProxy < ------- > Apache (SSL authentication **) < ------- > tomcat/apache (Application server) I have to authenticate clients before they can access to the application so it's the goal of (**). - Client with no certificate/expired/revoked can't access; - Client with valid certificate can access; 1. First try I find mod_ssl_error (http://marcstern.tripod.com/mod_ssl_error/) which is helpful but based on apache/mod_ssl versions and I don't want to maintain that. 2. Second try If I set "SSLVerifiyClient require" on server/vhost context, everything works fine at the beginning. Problems come when I want to redirect users based on the failed reason (no certificate/expired/revoked) or to personalize 403 page; I'm trying to use mod rewrite to do this but it doesn't work, it's always a 403 that I can't catch with rewrite. I see that %{SSL_CLIENT_VERIFY}x can give me some informations (NONE/failed:reason/...) but this information doesn't work with all browser (another search for me is why they always give NONE reason) ?! IE6 works fine : 192.168.56.102 - FAILED:certificate has expired [16/Nov/2012:14:56:13 +0100] "GET /index.php HTTP/1.1" 403 20 IE7 and above give : 192.168.56.102 - NONE [16/Nov/2012:14:56:00 +0100] "GET /index.php HTTP/1.1" 403 20 (Another problem is that Browsers have a custom 403 page) Am I right or I missed something in my configuration ? 3. third try I find that "SSLVerifiyClient optional" is better to do what I want but I don't want to introduce vulnerability. What I understand is that if client doesn't provide a certificate, he can access to my site, and if he provides one, this certificate is verify. So to have the same control as "require", I have to set a strong verification based this times on rewrite rules RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS => give the same control as require and introduce the possibility to filter on the reason ?! Or/and RewriteCond %{SSL:SSL_CLIENT_V_REMAIN} to control expiration and redirect with the proper 403 Can you confirm that point ? For now, this last solution is the one I prefer but i'm open to any suggestion that can help me. Kind regards, Guillaume Boulamery
