How can I allow only clients who have certificates to access a particular URL?

[andre_nn]

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
"How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?"

I get an error:

Code:

[Thu Jul 01 15:37:35 2010] [error] [client 127.0.0.1] user /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru: authentication failure for "/": Password Mismatch

[dklynn]

andre,

I'm not sure what "certificates" you're talking about but either issue another password to them OR use SESSIONs. I've found them to be particularly powerful as you can assign "levels" to the data you store in their sessions (via login) which can be used as passkeys to various scripts.

Regards,

DK

[andre_nn]

andre,

I'm not sure what "certificates" you're talking about but either issue another password to them OR use SESSIONs. I've found them to be particularly powerful as you can assign "levels" to the data you store in their sessions (via login) which can be used as passkeys to various scripts.

Regards,

DK

Thank you for your reply! This question is asked in different forums and only you responded. My English is not very good. I would be grateful if you would write in simple language.

When you create a certificate, you can write in commonName IP-address?

If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account.

[andre_nn]

1) Create your own self-signed trusted certificate (ca.crt) and private key (ca.key). They will sign the server certificate and the client

Code:

openssl req -new -newkey rsa: 1024 -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj / C = RU / ST = 52 / L = NN / O = AC-fond/OU = Certificate_Issuer / CN = 11.11.11.11/emailAddress = admin@123.ru -config "openssl.cnf"

2) Preparing configuration ca.config (See attached file)

3) Creating a private server key and request a server certificate

Code:

openssl req -new -newkey rsa: 1024 -nodes -keyout server.key -out server.csr -subj / C = RU / ST = 52 / L = NN / O = AC-fond/OU = Razrabotka / CN = 11.11.11.11/emailAddress = admin-serv@123.ru -config "openssl.cnf"

4) signing the request to the server certificate using сa.crt and obtain a server certificate

Code:

openssl ca -config ca.config -in server.csr -out server.crt-batch

5) Creating a private key and client request a client certificate

Code:

openssl req -new -newkey rsa: 1024 -nodes -keyout stellar.key -out stellar.csr -subj / C = RU / ST = 52 / L = NiNo / O = AC-fond/OU = Razrabotka / CN = 11.11. 11.11/emailAddress = abc@123.ru-config "openssl.cnf"

6) sign a request for a client certificate using сa.crt and obtain a client certificate

Code:

openssl ca-config ca.config-in stellar.csr-out stellar.crt-batch

7) Prepare a certificate for transmission to the user. To do this, execute the following command:

Code:

openssl pkcs12 -export -in stellar.crt -inkey stellar.key -certfile ca.crt -out stellar.p12 -passout pass:123

[andre_nn]

Then editing \Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf

[andre_nn]

File "C: / passwd" contains

[andre_nn]

I pass the certificate validation and get login screen, but authentication can not pass. In the logs I receive an error:

Code:

[Fri Jul 02 15:21:00 2010] [error] [client 192.168.2.14] user /C=RU/ST=52/L=NiNo/O=AC-fond/OU=Razrabotka/CN=11.11.11.11/emailAddress=abc@123.ru: authentication failure for "/": Password Mismatch

[dklynn]

Andre,

Please do not worry about the language (other than that English use is required). I remember almost nothing of my university Russian, high school French or my junior high (middle school?) Latin. In other words, your English is much better than my {any other human language}.

Now, to your question: Although I insist on a Linux box for a production server, I rely on WHM/cPanel to deal with the (signed) Secure Server Certificates as well as password protecting directories. Of course, I supplement each with both mod_rewrite and PHP scripts to ensure that "secure" pages are processed via SSL and "casual" pages are not.

Because it's after midnight (and I'm up to my ears in preparing taxes), I can't go research at Apache.org but it's my feeling that you're making it more complicated than necessary: Use the Secure Server Certificate to have your pages encrypted and use password protected directories deal with the directory permissions.

Aw, from http://httpd.apache.org/docs/2.2/ssl...#accesscontrol, it appears that you're doing everything right except for (possibly) including the last bits about mod_rewrite (with the correct IP address, of course):

Code:

#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond          %{HTTPS} !=on
RewriteRule          .* - [F]

That merely FAILs any request from the LAN (192.168.1.x) which is not using the Secure Server.

Other than that, tonight, my brain is fried and I'm headed to bed.

G'nite!

DK

[andre_nn]

I could not find information on CN: (
Can or not to register the IP address in CN?

All checked this link
http://httpd.apache.org/docs/2.2/ssl...#accesscontrol
What is the cause mistake I did not understand. I want to solve this problem. Maybe you know the developers of Apache? Maybe they ask what the reason for the error? I understood that I was doing wrong.

[andre_nn]

Hello dklynn!

In my case, what should I enter in the authorization window?

[dklynn]

Andre,

From memory (rusty now, of course), that should ask you for the title of the password window Apache will present as well as the location of the username : password file. From memory (again), Windows does NOT create that file properly so you'll need to look for an application online which can create the passwords for you in the proper format (those pages will normally also provide a full documentation on how to create, store and use the password protection scheme).

I'm NOT much help in this regard as I'm on a WinDoze box as a test server but leave all this to cPanel on the production server. cPanel takes all the pain out of this process so I've gotten lazy (lazier? ) in my old age.

Regards,

DK

[andre_nn]

Hello from Russia!!!

From Russia with love!

Thank you for your answers and help!

Andre,

From memory (rusty now, of course), that should ask you for the title of the password window Apache will present as well as the location of the username : password file. From memory (again), Windows does NOT create that file properly so you'll

"Windows does NOT create that file properly so you'll need" ((((

Must write a letter Bill Gates!

http://www.sitepoint.com/forums/show...16&postcount=3
"If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account."

Why Sign works with # SSLOptions FakeBasicAuth ?

Maybe it's bug Apache?

need to look for an application online which can create the passwords for you in the proper format (those pages will normally also provide a full documentation on how to create, store and use the password protection scheme).

hmmmm...
All Internet searched ... no solution (((
I will continue to look...

[andre_nn]

Andre,
I'm NOT much help in this regard as I'm on a WinDoze box as a test server but leave all this to cPanel on the production server. cPanel takes all the pain out of this process so I've gotten lazy (lazier? ) in my old age.

Regards,

DK

There WinDoze - there is a problem, yes? (((

Check the binding client certificates to accounts on the old Linux RH (I have no other )

[dklynn]

Andre,

Indeed! M$ has never been much of a fan of security and, what they do, they reinvent (or ... well, I won't get into their business ethics) how to do things (just to remain incompatible, I believe) so they won't use the standard encryption for passwords.

Oh, well, here are some Google searches of use to you: apache password protect directory and apache password generator which give you Authentication, Authorization and Access Control and Apache Password Generator.

Regards,

DK

[andre_nn]

Created password using the program Apache Password Generator.

Recreating all the certificates. Trying on a virtual machine

File "C: / passwd" contains:

Code:

/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:0sqzDS6URBCog

I pass the certificate validation and get login screen. Enter login and password:
login: /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru
password: password

In the logs I receive an error:

Code:

[Thu Jul 08 17:47:06 2010] [info] Initial (No.1) HTTPS request received for child 149 (server 127.0.0.1:443) 
[Thu Jul 08 17:47:06 2010] [error] [client 127.0.0.1] Encountered FakeBasicAuth spoof: /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru 
[Thu Jul 08 17:47:06 2010] [info] [client 127.0.0.1] Connection closed to child 149 with unclean shutdown (server 127.0.0.1:443)

[andre_nn]

It's a miracle! )))))))

The old error disappeared! )))))

A new error:
"Encountered FakeBasicAuth spoof"

Thank you!!!


We will solve the next problem?

[dklynn]

Andre,

Congratulations!

Frankly, I don't believe I've been very useful to you because I'm just not "up" on this dealing directly with Apache (cPanel is my "crutch").

I'm a bit concerned with "FakeBasicAuth", though. Try a search at apache.org for that before going to Google for information as that's what I'd have to do.

Regards,

DK

[andre_nn]

Andre,
Congratulations!

Thank you! Without your help I would have understood with one error - authentication failure for "/"

Frankly, I don't believe I've been very useful to you because I'm just not "up" on this dealing directly with Apache (cPanel is my "crutch").

I understand you. If you have any ideas, then write. I'll wait.

I'm a bit concerned with "FakeBasicAuth", though. Try a search at apache.org for that before going to Google for information as that's what I'd have to do.

I have not found an answer. I will look further.
Thanks again for your help!



Regards,

Andre

[andre_nn]

http://httpd.apache.org/docs/2.2/mod...tml#ssloptions

FakeBasicAuth
When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.

[andre_nn]

All rechecked. Amended. Now people in the client certificate authentication is automatic (I do not have such)

AuthUserFile "C:/passwd"

Understands the only such option

Code:

/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:password

Understands:

Code:

/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:TwqLN.x8CxUqk

Code:

/C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:xxj31ZMTZzkVA

Apache Password Generator does not help. Helps only plain text «password»


The challenge: how to bind an account of his certificates are not resolved.

[andre_nn]

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
"How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?"

Everything works! But only works with the password "password" and it applies automatically, rather than entered manually by users: (