SSL reverse proxy + Client Cert auth

Hi,

We want to build the following situation:

- Apache with mod_ssl as a reverse SSL proxy (Client ---> SSL/HTTPS
---> Rev. proxy ---> HTTP ---> Web/App server)
- We need to check for client certificates. These certs are handed out
by another party (not a real TTP). We need to check the signature on the
client certs and the validity of the client certs.


What's the best way to do this. I've read the mod_ssl manual, but I
don't understand how I can check client certs from another (third) party.

How do I setup Apache as an SSL reverse proxy?

Any help on this would be great!

Cheers,

Danny Kruitbosch

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL reverse proxy + Client Cert auth

I'm not sure about checking another authority, but suspect the configs
would be in conf/ssl.conf. For doing the reverse proxying, I edited
proxy.conf and included it inside ssl.conf. Inside proxy.conf,
statements like:

ProxyPass /cgi/ http://10.0.10.1/cgi/
ProxyPassReverse /cgi/ http://10.0.10.1/cgi/

are what accomplishes the reverse proxying. In our case, https: comes
into the proxy and we talk (behind the DMZ) http to the web servers.

Danny Kruitbosch wrote:

> Hi,
>
> We want to build the following situation:
>
> - Apache with mod_ssl as a reverse SSL proxy (Client ---> SSL/HTTPS
> ---> Rev. proxy ---> HTTP ---> Web/App server)
> - We need to check for client certificates. These certs are handed out
> by another party (not a real TTP). We need to check the signature on
> the client certs and the validity of the client certs.
>
>
> What's the best way to do this. I've read the mod_ssl manual, but I
> don't understand how I can check client certs from another (third) party.
>
> How do I setup Apache as an SSL reverse proxy?
>
> Any help on this would be great!
>
> Cheers,
>
> Danny Kruitbosch
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
..tom


--
..tom
http://isectd.sourceforge.net

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL reverse proxy + Client Cert auth

Hi Danny,
I guess I understood your doubt. If not, please
ignore this. There should be 'ca-bundle.crt' file in
which you can put the third party's certificate and
you could make a try.

Rgds,
Anbu

--- Danny Kruitbosch wrote:
> Hi,
>
> We want to build the following situation:
>
> - Apache with mod_ssl as a reverse SSL proxy (Client
> ---> SSL/HTTPS
> ---> Rev. proxy ---> HTTP ---> Web/App server)
> - We need to check for client certificates. These
> certs are handed out
> by another party (not a real TTP). We need to check
> the signature on the
> client certs and the validity of the client certs.
>
>
> What's the best way to do this. I've read the
> mod_ssl manual, but I
> don't understand how I can check client certs from
> another (third) party.
>
> How do I setup Apache as an SSL reverse proxy?
>
> Any help on this would be great!
>
> Cheers,
>
> Danny Kruitbosch
>
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org


__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL reverse proxy + Client Cert auth

On Sun, Aug 18, 2002 at 11:40:13PM -0700, Anbuchezhian Chelliah wrote:
> Hi Danny,
> I guess I understood your doubt. If not, please
> ignore this. There should be 'ca-bundle.crt' file in
> which you can put the third party's certificate and
> you could make a try.

Whoa! If you are running your own CA and only want your https server to
accept certs signed by that CA, then YOU MUST NOT USE THE ca-bundle.crt
FILE!!!

Replace it with your own cacert instead. Otherwise you are actually telling
your https server that *any* cert signed by *any* CA is valid - which may
not be what you want...

This is especially pertinent given the huge SSL hole found in IE/Konqueror
recently...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org