gmane.comp.apache.mod-ssl.user

Using multiple certs with mod_ssl behind load balancer

Holt, Joe — 2008-11-26T19:18:19

I've been asked to implement a somewhat strange setup. We are going to handle ssl decryption on the load balancer then forward the connections to either an IIS or Apache server. I'm tasked with configuring the Apache servers. I need to be able to use multiple certs but I'm not sure how. I've made test runs using SSLCertificateChainFile and SSLCACertificatePath but I couldn't get either to work. What are the correct steps I need to follow? Joe Holt | Product Development, Intuit Small Business Web | 650-549-3454 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

Multiple Requests for Client Certificate

wolfram eifler — 2008-11-18T09:40:37

hi, i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works fine so far *but* when a client-browser opens multiple simulanous connections for one page to the server the Client-Certificate gets requested the same number of times from the user. The corresponding Browser-Configuration for firefox for example is named network.http.max-persistent-connections-per-server I am looking for a way to avoid these multiple questions for a client-cert but i have no influence on the Browser-Configurations. Is there a way to avoid those multi-questions? best regards

mod_ssl Environment Variable?

2008-10-27T13:48:57

Hello, I would like to do the following (Apache 2.2 config): AuthUserFile /dev/null #SSLOptions +ExportCertData +FakeBasicAuth SSLOptions +FakeBasicAuth #SSLRequire (%{SSL_CLIENT_S_DN_O} in {"ClientO1", "ClientO2"}) AuthLDAPURL "ldap://192.168.1.3:389/dc=testnet,dc=de?uid" AuthType Basic AuthName "Internal Server Content" #AuthBasicAuthoritative Off AuthBasicProvider ldap Require ldap-user %{SSL_CLIENT_S_DN_OU} I want to use Client certificates, after Connect, one of the Fields in the Certificate i will check (existance) in an ldap Server. But in the apache Variable %{SSL_CLIENT_S_DN_OU} are not basicly the OU String (testorg), there is a very long String, like this: uid=/c=de/st=niedersachsen/o=ClientO1/ou=testorg/cn=maschinen/ emailaddress=support< at >testnet.de With this string now apache askes the ldap Server, that seems all correctly, but in the uid Field in my ldap is the Entry named "testorg". Is this an Error

Re: Partitioned CRLs

Nuno Ponte — 2008-10-21T15:32:22

Hi Gilles, Thanks for your reply! :-) The CA also offers OCSP, which is obviously the preferred way to validate certificate status. I am just trying to make sure that there is support from the "applications world" to such a CRL partitioning scheme. Wide interoperability is a key goal. Regards, Nuno Ponte On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles gmail.com> wrote: ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

Re: Partitioned CRLs

Cuesta Gilles — 2008-10-21T10:04:45

Nuno Ponte a écrit : CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway)

Partitioned CRLs

Nuno Ponte — 2008-10-21T09:50:35

Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. My question: Is mod_ssl/openssl prepared to support partitioned CRLs like the way described? In particular, if CRLs are cached, mod_ssl must be able to merge several different partitions according to the CDP to create a unified view over the revocation universe of a CA. Regards, Nuno Ponte ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User

Re: unable to start apache with 2 certificates

Jorge Martín Cuervo — 2008-10-20T09:03:05

I tried with an SSLPassPhraseDialog in every VirtualHost and i get this message: [jmartin< at >protean bin]$ ./apachectl -S Syntax error on line 82 of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: SSLPassPhraseDialog cannot occur within section "or unciphered key ?" how can i do it? do i need to contact with my certificate provider? thanks. El lun, 20-10-2008 a las 10:32 +0200, Jorge Martín Cuervo escribió:

Re: unable to start apache with 2 certificates

Jorge Martín Cuervo — 2008-10-20T08:32:03

Hi Cuesta Guilles, thanks for your quickly reply. No i am going to read the documentation about SSLPassPhraseDialog. This is my apachectl -S output: [jmartin< at >protean bin]$ ./apachectl -S VirtualHost configuration: 213.134.38.66:443 cv.smra.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:266) 213.134.38.54:443 www.smartcv.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:81) wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost madrid.protean.eu (/home/jmartin/apache22/conf/httpd.conf:506) port 80 namevhost portal.protean.eu (/home/jmartin/apache22/conf/httpd.conf:519) port 80 namevhost uk.protean.eu (/home/jmartin/apache22/conf/httpd.conf:532) port 80 namevhost portaldeempleo.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:545)

unable to start apache with 2 certificates

Jorge Martín Cuervo — 2008-10-20T07:55:45

Hi all, i have a problem with an apache 2.2.9, maybe this is not the correct mailing list but i am going to ask, my apologizes if this isn't the properly place. I had an instance of apache 2.2.9 with and IP serving contents with the port 80 and 443, we bought a godaddy certificate and all went pretty well, but we needed to install another certificate for other domain in the same machine. I had several domains and all works with vhosts with http, but when i first tried to use several vhosts for secure connections the apache seemed to restart well but stop working. With an only certificate, apache use to ask me the certificate password, but when i configure a second one, never asked and stop serving content, even in http. Then i tried to configure the system with 2 IPs, one for every certificate, but i got the same problem. The configuration files seems to be well formed (apachectl -t) and i saw some examples out of there: http://www.ibm.com/developerworks/opensource/library/wa-multissl.html am i doing s

Re: unable to start apache with 2 certificates

Cuesta Gilles — 2008-10-20T09:08:56

Jorge Martín Cuervo a écrit : http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Your key may be stored unciphered on your server.

Re: unable to start apache with 2 certificates

Cuesta Gilles — 2008-10-20T08:16:04

Jorge Martín Cuervo a écrit : Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered key ? Wich is result of httpd -S ?

IE + SSL = File Upload Problems

2008-10-15T11:07:31

Hello, Hopefully someone can help... Environment: Apache httpd 2.2 + mod_proxy + JK2 + mod_ssl --> JBoss (Tomcat 5.5) IE 6/7 + WinXP Pro/Win 2003 Problem: When a large file upload from a http form post reaches a "max allowed limit" (e.g. 20Mb) on the server, the server returns a response (e.g. 413/406). Somewhere the SSL part is causing (only) IE to hang for a while (consume lots of memory/processor time) and then display a page that says: "Navigation to the webpage was stopped..." Note: Turning SSL off fixes this behaviour. Can anyone shed any light on what might be causing this? Cheers, Dave ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

Jean-Pierre Guilloteau est absent.

2008-10-10T20:03:34

I will be out of the office starting Fri 10/10/08 and will not return until Mon 27/10/08. Je répondrai à votre message dès mon retour. Cordialement. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

Re: X509 variables ..UID

Michael Ströder — 2008-10-10T15:38:20

Nothing happened since I've filed this bug and raised the issue here: https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 It's broken => it should be fixed. Unfortunately no-one cares. :-( Ciao, Michael. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

X509 variables ..UID

Peter Sylvester — 2008-10-10T14:49:54

in ssl_engine_vars, there seems to be a problem to me concerning the UID field. The syntax for the field is a bitstring and not a "text". static const struct { char *name; int nid; } ssl_var_lookup_ssl_cert_dn_rec[] = { { "C", NID_countryName }, { "ST", NID_stateOrProvinceName }, /* officially (RFC2156) */ { "SP", NID_stateOrProvinceName }, /* compatibility (SSLeay) */ { "L", NID_localityName }, { "O", NID_organizationName }, { "OU", NID_organizationalUnitName }, { "CN", NID_commonName }, { "T", NID_title }, { "I", NID_initials }, { "G", NID_givenName }, { "S", NID_surname }, { "D", NID_description }, #if SSL_LIBRARY_VERSION >= 0x00907000 { "UID", NID_x500UniqueIdentifier }, #else { "UID", NID_uniqueIdentifier }, #endif { "Email", NID_pkcs9_emailAddress },

Embedded purposes

Gunnar P. Vestergaard — 2008-10-06T18:32:45

If a user is trying to authenticate himself with an SSL web server, he needs to present a valid personal certificate, I understand. But what if the purpose of the client certificate is not valid? I mean, for one user's certificate, Mozilla SeaMonkey reports: "This certificate has been verified for the following uses: Email Signer Certificate and Email Recipient Certificate". Will an SSL web server accept such a client certificate for authenticating an SSL web connection? Gunnar Vestergaard ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users< at >modssl.org Automated List Manager majordomo< at >modssl.org

Re: Can i use CA signed cert to create client authentication certificates ?

Matt Stevenson — 2008-09-26T17:02:15

Hi, Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. As you know there isn't an ask once option, which would be very nice. I don't think there is much that can be done to "fix" it other than coding up an "ask once" option in FF (which I haven't got the time to do :( ). Anyway you may also want to use/need the "SSLOptions +OptRenegotiate" if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. Regards Matt ----- Original Message ---- From: Jan Stian Gabrielli mailtilmeg.com> To: modssl-users< at >modssl.org Sent: Thursday, September 25,

Re: Can i use CA signed cert to create client authentication certificates ?

Jan Stian Gabrielli — 2008-09-25T08:37:00

Thank you very much Matt . That solved it :). I now have "Client Certificate Authentication" working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to "Ask me every time" instead of "auto select client certificate" I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading "one" and "one" item(image) on the website. If i switch to "Auto select certificate" it works. But it would be nice not having the browser present the certificate without it being the users

Re: Can i use CA signed cert to create client authentication certificates ?

Matt Stevenson — 2008-09-23T18:36:51

Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt ----- Original Message ---- From: Jan Stian Gabrielli mailtilmeg.com> To: modssl-users< at >modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Messa

Re: Can i use CA signed cert to create client authentication certificates ?

Jan Stian Gabrielli — 2008-09-23T12:39:16

Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message ----------------------- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt ----- Original Message ---- From: Jan Stian Gabrielli mailtilmeg.com> To: modssl-users< at >modssl.org Sent: Monday, September 22, 2008 7:54:37

Re: Can i use CA signed cert to create client authentication certificates ?

Matt Stevenson — 2008-09-22T20:19:05

Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt ----- Original Message ---- From: Jan Stian Gabrielli mailtilmeg.com> To: modssl-users< at >modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?. Ie. I have generated a : apache_server.key made a apache_server.csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt