Client Authentication and Access Control

Hi.

I have read the instructions at:

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

and successfully set up a web server which runs HTTPS and requires
client certificates for authentication.

However, I am not 100% pleased with neither of the *two* methods. What I
dislike is the *user-id* part of the information that is stored in the
access log:

Method 1 (mod_auth):

The user-id field is a string converted from the *full* subject DN in the
client certificate which in my case (with Verisign class 1 certificates)
are typically 230 chars long!

Method 2 (SSLRequire):

The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?


One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile
is:

mygroup: user-id1 user-id2 user-id3

i.e. using space as a separator. The user-id produced in method 1 above
contains a lot of spaces. How can this work? Using quotes?

Thanks.

Oyvin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
somme [ Fr, 03 Juni 2005 08:56 ] [ ID #822191 ]

Re: Client Authentication and Access Control

On Fri, Jun 03, 2005 at 08:56:56AM +0200, =C3=98yvin S=C3=B8mme wrote:
> Method 2 (SSLRequire):
>
> The user-id field is just '-'.
>
> Can I somehow configure apache/mod_ssl to only store certain elements o=
f
> the DN (e.g. the CN in the DN) as the user-id in the access-log?

mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
this:

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
Joe Orton [ Fr, 03 Juni 2005 09:47 ] [ ID #822192 ]

Re: Client Authentication and Access Control

Joe Orton wrote:
> On Fri, Jun 03, 2005 at 08:56:56AM +0200, =C3=98yvin S=C3=B8mme wrote:
>
>>Method 2 (SSLRequire):
>>
>> The user-id field is just '-'.
>>
>>Can I somehow configure apache/mod_ssl to only store certain elements o=
f
>>the DN (e.g. the CN in the DN) as the user-id in the access-log?
>
>
> mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
> this:
>
> http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e
>
> Regards,
>
> joe
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users [at] modssl.org
> Automated List Manager majordomo [at] modssl.org

Thanks for a very good suggestion. Seems to be just what I need.
So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
inside the <IfDefine SSL> </IfDefine> context. This resulted in *no*
change in my log files, the user-id field was still '-'.

Any idea why it didn't work?


Regards
=C3=98yvin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
somme [ Di, 14 Juni 2005 14:24 ] [ ID #836985 ]

Re: Client Authentication and Access Control

=C3=98yvin S=C3=B8mme wrote:
> Joe Orton wrote:
>
>> On Fri, Jun 03, 2005 at 08:56:56AM +0200, =C3=98yvin S=C3=B8mme wrote:
>>
>>> Method 2 (SSLRequire):
>>>
>>> The user-id field is just '-'.
>>>
>>> Can I somehow configure apache/mod_ssl to only store certain elements=
of
>>> the DN (e.g. the CN in the DN) as the user-id in the access-log?
>>
>>
>>
>> mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
>> this:
>>
>> http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e
>>
>> Regards,
>>
>> joe
>
>
> Thanks for a very good suggestion. Seems to be just what I need.
> So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
> inside the <IfDefine SSL> </IfDefine> context. This resulted in *no*
> change in my log files, the user-id field was still '-'.
>
> Any idea why it didn't work?
>
>
> Regards
> =C3=98yvin


I found out the issue: I cannot use 'SSLOptions +FakeBasicAuth' together =
with 'SSLUserName xxx'
(not documented anywhere).

Regards.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
somme [ Di, 14 Juni 2005 16:28 ] [ ID #836986 ]
Webserver » gmane.comp.apache.mod-ssl.user » Client Authentication and Access Control

Vorheriges Thema: Using Environment Variables Inside an SSLRequire regex statement
Nächstes Thema: Internet Explorer Security Warning Using Self Signed Certificates

[ Startseite ] [ Administrator ] [ Suche ] [ Hinweise ] [ Impressum ]

Powered by FudForum