Kyle O'Donnell | 2 Nov 19:40 2002

Client/Server Authentication.

All,

I am trying to setup my web server to authenticate clients through ssl 
certs.  Thus far I have been able to successfully do so via creating 
client pkcs12 files sending them to a client and importing into browser.  
What I have not been able to figure out, is how to revoke a client's 
certificate.  We are looking at implimenting WebDev for our developers 
where both htaccess and ssl is aimed to be used.  However, we do need to 
have the ability to revoke their access, and I have yet to find a way to 
revoke only 1 clients ssl access.  If anyone can help out or point me in 
the right direction, it would be much appreciated.

Regards,
Kyle O'Donnell

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Peter Viertel | 3 Nov 11:38 2002
Picon

Re: Certificate Server

You certainly can. See the openssl  FAQ

http://www.openssl.org/support/faq.cgi#USER4

Miguel Angel Gomez Animas wrote:

>
>
>
> Hi all....
>
> I want to know if is possible create a server certificate with modssl, 
> something like a personal verisign or something like this...
>
> What do i have to do???, can you help me with this???
>
> Thanks a lot!!!!
>
>
> _________________________________________________________________
> Internet access plans that fit your lifestyle -- join MSN. 
> http://resourcecenter.msn.com/access/plans/default.asp
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users <at> modssl.org
> Automated List Manager                            majordomo <at> modssl.org

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
(Continue reading)

Marcin | 3 Nov 16:52 2002
Picon

IE and client verification problem

Hi,

I'm experiencing weird problems with MSIE clients accessing pages on a
Apache 1.3.26+mod_ssl-2.8.9
 server (Debian Woody with current updates) with client verification turned
on.
I created and signed CA certificate, then created and signed server and
several clients' certificates.
On every client workstation, I imported the proper client certificate into
MSIE.
In Apache config I enabled mod_ssl and set "verify client required" for
Document Root directory,
and put the "magic" SetEnviF stuff (unclean-shutdown, downgrade-1.0 and so
on) as recommended in FAQ.

Everything seemed to work just fine, but users started report absence of
some pages' elements.
Further investigation showed, that for some unknown reasons, the MSIE
doesn't load all of the page
components.

I've created simply test.html:
<html>
<body>
<img src="test1.gif"><img src="test2.gif"><img src="test2.gif">
<img src="test1.gif"><img src="test2.gif"><img src="test2.gif">
(some more repetition of above line)
</body>
</html>
put it into DocumentRoot and requested it from the MSIE. Randomly choosen
(Continue reading)

Lawrence Cole | 4 Nov 07:13 2002
Picon

RE: Startup Script

Owen,

Both solutions work.  Thank you very much for your time and patience.

Regards,

-Lawrence

-----Original Message-----
From: owner-modssl-users <at> modssl.org
[mailto:owner-modssl-users <at> modssl.org] On Behalf Of Boyle Owen
Sent: Thursday, October 31, 2002 1:04 AM
To: modssl-users <at> modssl.org
Subject: RE: Startup Script

To expand a little on my previous post:

When you run a shell-script, it forks a new shell which doesn't usually
inherit environment variables from the calling shell. So you have to set
any envs in the script. To do this under the standard shell (i.e.
/bin/sh) you need two lines:

	LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib"
	export LD_LIBRARY_PATH

Under the tcsh, you'd only need one:

	setenv LD_LIBRARY_PATH
/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib

(Continue reading)

James Hastings-Trew | 4 Nov 16:51 2002

Re: IE and client verification problem

Sounds like you need to put a session cache in your apache config.

> Everything seemed to work just fine, but users started report absence of
> some pages' elements.
> Further investigation showed, that for some unknown reasons, the MSIE
> doesn't load all of the page
> components.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Marcin | 4 Nov 17:28 2002
Picon

Re: IE and client verification problem

"James Hastings-Trew" <james <at> marketingden.com> wrote:
> Sounds like you need to put a session cache in your apache config.

Thanks for response, but I already did it (forgot to mention it). Here is
important part of my httpd.conf.

<Directory /var/www/app>
        Options Includes FollowSymLinks MultiViews ExecCGI Includes
        AllowOverride All
        SSLVerifyClient require
        SSLVerifyDepth  1
        SSLOptions +FakeBasicAuth +StrictRequire  +CompatEnvVars +StdEnvVars
        SSLRequireSSL
        SSLRequire (%{SSL_CLIENT_S_DN_O} eq "MYORG"  and
%{SSL_CIPHER_USEKEYSIZE}>=128)
        Satisfy all
        order deny,allow
        deny from all
        allow from 192.168.0.0/255.255.255.0
</Directory>

SSLEngine on
SSLCertificateFile /etc/apache/webserver.crt
SSLCertificateKeyFile /etc/apache/webserver.key
SSLCACertificateFile /etc/apache/ca.crt
SSLMutex sem
SSLSessionCacheTimeout 600
SSLSessionCache dbm:/tmp/ssl.cache
SetEnvIf User-Agent "MSIE" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
(Continue reading)

asom | 4 Nov 23:20 2002
Picon

Configuring Multiple Certicates SSL over an unique IP


Hello,

 There are some way to configuring the Apache Server to utilize multiple 
certificates SSL, over an unique ip, once for each virtual domain ?

 What the Apache configure sintax ?

Alex Moraes

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Boyle Owen | 5 Nov 08:48 2002

RE: Configuring Multiple Certicates SSL over an unique IP

No. This is called name-based virtual hosting (NBVH). It works fine for
plain HTTP but is impossible under SSL.

The reason is that NBVH uses the "Host" header to find the VH. But in
SSL, the connection must be established *before* you get the Host
header. So the server cannot decide which VH to use. 

Rgds,

Owen Boyle 

-----Original Message-----
From: asom <at> vetorialnet.com.br [mailto:asom <at> vetorialnet.com.br]
Sent: Montag, 4. November 2002 23:20
To: modssl-users <at> modssl.org
Subject: Configuring Multiple Certicates SSL over an unique IP

Hello,

 There are some way to configuring the Apache Server to utilize multiple
certificates SSL, over an unique ip, once for each virtual domain ?

 What the Apache configure sintax ?

Alex Moraes

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)

ueli | 5 Nov 10:08 2002

Re: Configuring Multiple Certicates SSL over an unique IP

On Tue, 5 Nov 2002 08:48:58 +0100
"Boyle Owen" <Owen.Boyle <at> swx.com> wrote:

> No. This is called name-based virtual hosting (NBVH). It works fine for
> plain HTTP but is impossible under SSL.
> 
> The reason is that NBVH uses the "Host" header to find the VH. But in
> SSL, the connection must be established *before* you get the Host
> header. So the server cannot decide which VH to use. 

except you are using a star-certificate, 

if your certificate is *.foo.bar you can use name-based virtual hosting for
following dhosts:

www.foo.bar
test.foo.bar 
new.foo.bar
...
what-ever.foo.bar

> 
> Rgds,
> 
> Owen Boyle 
> 
> -----Original Message-----
> From: asom <at> vetorialnet.com.br [mailto:asom <at> vetorialnet.com.br]
> Sent: Montag, 4. November 2002 23:20
> To: modssl-users <at> modssl.org
(Continue reading)

Boyle Owen | 5 Nov 11:21 2002

RE: Configuring Multiple Certicates SSL over an unique IP

Yes indeed, although this is a rather limited case of NBVH.

-----Original Message-----
From: ueli <at> heuer.org [mailto:ueli <at> heuer.org]
Sent: Dienstag, 5. November 2002 10:08
To: modssl-users <at> modssl.org
Subject: Re: Configuring Multiple Certicates SSL over an unique IP

On Tue, 5 Nov 2002 08:48:58 +0100
"Boyle Owen" <Owen.Boyle <at> swx.com> wrote:

> No. This is called name-based virtual hosting (NBVH). It works fine
for
> plain HTTP but is impossible under SSL.
> 
> The reason is that NBVH uses the "Host" header to find the VH. But in
> SSL, the connection must be established *before* you get the Host
> header. So the server cannot decide which VH to use. 

except you are using a star-certificate, 

if your certificate is *.foo.bar you can use name-based virtual hosting
for
following dhosts:

www.foo.bar
test.foo.bar 
new.foo.bar
...
what-ever.foo.bar
(Continue reading)


Gmane