SitePoint Sponsor

User Tag List

Results 1 to 21 of 21
  1. #1
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question How can I allow only clients who have certificates to access a particular URL?

    http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
    "How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?"

    I get an error:
    Code:
    [Thu Jul 01 15:37:35 2010] [error] [client 127.0.0.1] user /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru: authentication failure for "/": Password Mismatch

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    andre,

    I'm not sure what "certificates" you're talking about but either issue another password to them OR use SESSIONs. I've found them to be particularly powerful as you can assign "levels" to the data you store in their sessions (via login) which can be used as passkeys to various scripts.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    andre,

    I'm not sure what "certificates" you're talking about but either issue another password to them OR use SESSIONs. I've found them to be particularly powerful as you can assign "levels" to the data you store in their sessions (via login) which can be used as passkeys to various scripts.

    Regards,

    DK
    Thank you for your reply! This question is asked in different forums and only you responded. My English is not very good. I would be grateful if you would write in simple language.

    When you create a certificate, you can write in commonName IP-address?

    If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account.

  4. #4
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) Create your own self-signed trusted certificate (ca.crt) and private key (ca.key). They will sign the server certificate and the client
    Code:
    openssl req -new -newkey rsa: 1024 -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj / C = RU / ST = 52 / L = NN / O = AC-fond/OU = Certificate_Issuer / CN = 11.11.11.11/emailAddress = admin@123.ru -config "openssl.cnf"
    2) Preparing configuration ca.config (See attached file)

    3) Creating a private server key and request a server certificate
    Code:
    openssl req -new -newkey rsa: 1024 -nodes -keyout server.key -out server.csr -subj / C = RU / ST = 52 / L = NN / O = AC-fond/OU = Razrabotka / CN = 11.11.11.11/emailAddress = admin-serv@123.ru -config "openssl.cnf"
    4) signing the request to the server certificate using сa.crt and obtain a server certificate
    Code:
    openssl ca -config ca.config -in server.csr -out server.crt-batch
    5) Creating a private key and client request a client certificate
    Code:
    openssl req -new -newkey rsa: 1024 -nodes -keyout stellar.key -out stellar.csr -subj / C = RU / ST = 52 / L = NiNo / O = AC-fond/OU = Razrabotka / CN = 11.11. 11.11/emailAddress = abc@123.ru-config "openssl.cnf"
    6) sign a request for a client certificate using сa.crt and obtain a client certificate
    Code:
    openssl ca-config ca.config-in stellar.csr-out stellar.crt-batch
    7) Prepare a certificate for transmission to the user. To do this, execute the following command:
    Code:
    openssl pkcs12 -export -in stellar.crt -inkey stellar.key -certfile ca.crt -out stellar.p12 -passout pass:123
    Attached Files Attached Files

  5. #5
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Then editing \Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf
    Attached Files Attached Files

  6. #6
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    File "C: / passwd" contains
    Attached Files Attached Files

  7. #7
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I pass the certificate validation and get login screen, but authentication can not pass. In the logs I receive an error:
    Code:
    [Fri Jul 02 15:21:00 2010] [error] [client 192.168.2.14] user /C=RU/ST=52/L=NiNo/O=AC-fond/OU=Razrabotka/CN=11.11.11.11/emailAddress=abc@123.ru: authentication failure for "/": Password Mismatch

  8. #8
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Andre,

    Please do not worry about the language (other than that English use is required). I remember almost nothing of my university Russian, high school French or my junior high (middle school?) Latin. In other words, your English is much better than my {any other human language}.

    Now, to your question: Although I insist on a Linux box for a production server, I rely on WHM/cPanel to deal with the (signed) Secure Server Certificates as well as password protecting directories. Of course, I supplement each with both mod_rewrite and PHP scripts to ensure that "secure" pages are processed via SSL and "casual" pages are not.

    Because it's after midnight (and I'm up to my ears in preparing taxes), I can't go research at Apache.org but it's my feeling that you're making it more complicated than necessary: Use the Secure Server Certificate to have your pages encrypted and use password protected directories deal with the directory permissions.

    Aw, from http://httpd.apache.org/docs/2.2/ssl...#accesscontrol, it appears that you're doing everything right except for (possibly) including the last bits about mod_rewrite (with the correct IP address, of course):
    Code:
    #   Force clients from the Internet to use HTTPS
    RewriteEngine        on
    RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
    RewriteCond          %{HTTPS} !=on
    RewriteRule          .* - [F]
    That merely FAILs any request from the LAN (192.168.1.x) which is not using the Secure Server.

    Other than that, tonight, my brain is fried and I'm headed to bed.

    G'nite!

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  9. #9
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I could not find information on CN: (
    Can or not to register the IP address in CN?

    All checked this link
    http://httpd.apache.org/docs/2.2/ssl...#accesscontrol
    What is the cause mistake I did not understand. I want to solve this problem. Maybe you know the developers of Apache? Maybe they ask what the reason for the error? I understood that I was doing wrong.

  10. #10
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello dklynn!

    In my case, what should I enter in the authorization window?

  11. #11
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Andre,

    From memory (rusty now, of course), that should ask you for the title of the password window Apache will present as well as the location of the username : password file. From memory (again), Windows does NOT create that file properly so you'll need to look for an application online which can create the passwords for you in the proper format (those pages will normally also provide a full documentation on how to create, store and use the password protection scheme).

    I'm NOT much help in this regard as I'm on a WinDoze box as a test server but leave all this to cPanel on the production server. cPanel takes all the pain out of this process so I've gotten lazy (lazier? ) in my old age.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  12. #12
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello from Russia!!!

    From Russia with love!

    Thank you for your answers and help!

    Quote Originally Posted by dklynn View Post
    Andre,

    From memory (rusty now, of course), that should ask you for the title of the password window Apache will present as well as the location of the username : password file. From memory (again), Windows does NOT create that file properly so you'll
    "Windows does NOT create that file properly so you'll need" ((((

    Must write a letter Bill Gates!

    http://www.sitepoint.com/forums/show...16&postcount=3
    "If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account."

    Why Sign works with # SSLOptions FakeBasicAuth ?

    Maybe it's bug Apache?

    Quote Originally Posted by dklynn View Post
    need to look for an application online which can create the passwords for you in the proper format (those pages will normally also provide a full documentation on how to create, store and use the password protection scheme).
    hmmmm...
    All Internet searched ... no solution (((
    I will continue to look...

  13. #13
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile

    Quote Originally Posted by dklynn View Post
    Andre,
    I'm NOT much help in this regard as I'm on a WinDoze box as a test server but leave all this to cPanel on the production server. cPanel takes all the pain out of this process so I've gotten lazy (lazier? ) in my old age.

    Regards,

    DK


    There WinDoze - there is a problem, yes? (((

    Check the binding client certificates to accounts on the old Linux RH (I have no other )

  14. #14
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Andre,

    Indeed! M$ has never been much of a fan of security and, what they do, they reinvent (or ... well, I won't get into their business ethics) how to do things (just to remain incompatible, I believe) so they won't use the standard encryption for passwords.

    Oh, well, here are some Google searches of use to you: apache password protect directory and apache password generator which give you Authentication, Authorization and Access Control and Apache Password Generator.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  15. #15
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Created password using the program Apache Password Generator.

    Recreating all the certificates. Trying on a virtual machine

    File "C: / passwd" contains:
    Code:
    /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:0sqzDS6URBCog

    I pass the certificate validation and get login screen. Enter login and password:
    login: /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru
    password: password

    In the logs I receive an error:
    Code:
    [Thu Jul 08 17:47:06 2010] [info] Initial (No.1) HTTPS request received for child 149 (server 127.0.0.1:443) 
    [Thu Jul 08 17:47:06 2010] [error] [client 127.0.0.1] Encountered FakeBasicAuth spoof: /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru 
    [Thu Jul 08 17:47:06 2010] [info] [client 127.0.0.1] Connection closed to child 149 with unclean shutdown (server 127.0.0.1:443)
    Attached Files Attached Files

  16. #16
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's a miracle! )))))))

    The old error disappeared! )))))

    A new error:
    "Encountered FakeBasicAuth spoof"

    Thank you!!!


    We will solve the next problem?

  17. #17
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Andre,

    Congratulations!

    Frankly, I don't believe I've been very useful to you because I'm just not "up" on this dealing directly with Apache (cPanel is my "crutch").

    I'm a bit concerned with "FakeBasicAuth", though. Try a search at apache.org for that before going to Google for information as that's what I'd have to do.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  18. #18
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thumbs up

    Quote Originally Posted by dklynn View Post
    Andre,
    Congratulations!
    Thank you! Without your help I would have understood with one error - authentication failure for "/"

    Quote Originally Posted by dklynn View Post
    Frankly, I don't believe I've been very useful to you because I'm just not "up" on this dealing directly with Apache (cPanel is my "crutch").
    I understand you. If you have any ideas, then write. I'll wait.

    Quote Originally Posted by dklynn View Post
    I'm a bit concerned with "FakeBasicAuth", though. Try a search at apache.org for that before going to Google for information as that's what I'd have to do.
    I have not found an answer. I will look further.
    Thanks again for your help!



    Regards,

    Andre

  19. #19
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy

    http://httpd.apache.org/docs/2.2/mod...tml#ssloptions
    FakeBasicAuth
    When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.

  20. #20
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    All rechecked. Amended. Now people in the client certificate authentication is automatic (I do not have such)

    AuthUserFile "C:/passwd"

    Understands the only such option
    Code:
    /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:password
    Understands:
    Code:
    /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:TwqLN.x8CxUqk
    Code:
    /C=RU/ST=-/L=Moscow/O=Reki.ru/OU=SVN/CN=bugzilla.ru/emailAddress=svn@svn.reki.ru:xxj31ZMTZzkVA
    Apache Password Generator does not help. Helps only plain text «password»


    The challenge: how to bind an account of his certificates are not resolved.

  21. #21
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
    "How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?"

    Everything works! But only works with the password "password" and it applies automatically, rather than entered manually by users: (


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •