Tuesday, April 06, 2010
Client certificates in Apache
I've been spending an inordinate amount of time playing around with Apache, starting with
mod_lua, which lead me
to reconfigure both Apache 2.0.52 (which came installed by default) and
Apache 2.3.5 (compiled from source, because mod_lua is only
available for Apache 2.3) so they could run at the same time. This lead to
using IPv6 because I
have almost two dozen “sites” running locally (and as I've found, it's
just as easy to use IPv6 addresses as it is IP addresses, although the DNS PTR records get
a little silly).
This in turn lead to installing more secure sites locally, because I can (using TinyCA makes it trivial actually), and this lead to a revamp of my secure site (note: the link takes you to an unsecure page—the actual secure site uses a certificate signed by my “certificate authority” which means you'll get a warning which can be avoided by installing the certificate from the unsecure site). And from there, I learned a bit more about authenticating with client certificates. Specifically, isolating certain pages to just individual users.
So, to configure client side certificates, you need to create a client certificate (easy with TinyCA as it's an option when signing a request) and install it in the browser. You then need to install the certificate authority certificate so that Apache can use it to authenticate against the client certificate (um … yeah). In the Apache configuration file, just add:
SSLCACertificateFile /path/to/ca.crt
Then add the appropriate mod_ssl
options to the secure site (client-side authentication only works with
secure connections). For example, here's my configuration:
<VirtualHost 66.252.224.242:443>
ServerName secure.conman.org
DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs
# ...
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_OU} eq Clients"
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
</VirtualHost>
And in order to protect a single file with more stringent controls (and here for example, is my bookmarks file):
<VirtualHost 66.252.224.242:443>
# ...
<Location /library/bookmarks.html>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_CN} eq "Sean Conner"
SSLVerifyClient require
SSLVerifyDepth 5
</Location>
</VirtualHost>
The <Files> directive in Apache didn't work—I
suspect because the <Directory> directive is processed
first and it allows anybody from the unit “Clients” access and thus any
<Files> directives are ignored, whereas
<Location> directives are processed before
<Directory> directives, and thus anyone not me
is denied access to my bookmarks.
Now, I just need to figure out what to do about some recent updates to Apache, since I have some “old/existing clients” to support (namely, Firefox 2 on my Mac, which I can't upgrade because I'm stuck at 10.3.9 on the system, because the DVD player is borked … )
![[The future's so bright, I gotta wear shades]](https://www.conman.org/people/spc/about/2023/1023.t.jpg "The future's so bright, I gotta wear shades")