certificate + network ACL + passwords problem?

I've tried this both with the stock (fully patched) RedHat 7.2, and with
a fresh-built Apache 1.3.26 + modssl-2.8.10-1.3.26 + openssl-0.9.6g.

With the attached config snippet for a "private" directory, based on the
samples from the documentation, the webserver first asks me for my
certificate, successfully validates it, and *then* asks me for a
username/password. I know the certificate is successfully authenticated,
as I've modified my CustomLog entry to log the values of
SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY, and SSL_CIPHER_USEKEYSIZE.

If I comment out the four lines for network-based access control:

#Order deny,allow
#Deny from all
#Allow from 127.0.0.1
#Allow from 199.85.99.0/24

Then I get my expected behaviour, which is:
- if I give a certificate, I get access
- if I don't give a certificate, I am asked for username/password

Am I being dense about combining access control methods, or is there a
bug somewhere?

Thanks in advance,

--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry



# any "intranet' access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate

# If HTTPS is used, make sure a strong cipher is used.
# Additionally, allow client certs as an alternative to basic auth.
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions -StrictRequire +OptRenegotiate +StdEnvVars
SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )

# Allow any of certs, network access or basic auth
Satisfy any

# Network Access Control
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 199.85.99.0/24

# HTTP Basic Authentication
AuthType Basic
AuthName "CFRQ users"
AuthUserFile /etc/httpd/conf/passwd
Require valid-user

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: certificate + network ACL + passwords problem?

I think it's just the way you use allow, deny. I would have put this myself:

Order deny,allow
Deny from all
Allow from 127.0.0.1, 199.85.99.

The Allow syntax has always seemed odd to me. What appears in the
documentation at http://httpd.apache.org/docs/mod/mod_access.html#allow
doesn't all work for me.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Reality TV - the ultimate oxymoron


> -----Original Message-----
> From: Harald Koch [mailto:chk@pobox.com]
> Sent: 22 September 2002 23:53
> To: modssl-users@modssl.org
> Subject: certificate + network ACL + passwords problem?
>
>
> I've tried this both with the stock (fully patched) RedHat
> 7.2, and with
> a fresh-built Apache 1.3.26 + modssl-2.8.10-1.3.26 + openssl-0.9.6g.
>
> With the attached config snippet for a "private" directory,
> based on the
> samples from the documentation, the webserver first asks me for my
> certificate, successfully validates it, and *then* asks me for a
> username/password. I know the certificate is successfully
> authenticated,
> as I've modified my CustomLog entry to log the values of
> SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY, and SSL_CIPHER_USEKEYSIZE.
>
> If I comment out the four lines for network-based access control:
>
> #Order deny,allow
> #Deny from all
> #Allow from 127.0.0.1
> #Allow from 199.85.99.0/24
>
> Then I get my expected behaviour, which is:
> - if I give a certificate, I get access
> - if I don't give a certificate, I am asked for username/password
>
> Am I being dense about combining access control methods, or is there a
> bug somewhere?
>
> Thanks in advance,
>
> --
> Harald Koch
>
> "It takes a child to raze a village."
> -Michael T. Fry
>
>
>
> # any "intranet' access is allowed
> # but from the Internet only HTTPS + Strong-Cipher
> + Password
> # or the alternative HTTPS + Strong-Cipher +
> Client-Certificate
>
> # If HTTPS is used, make sure a strong cipher is used.
> # Additionally, allow client certs as an alternative to
> basic auth.
> SSLRequireSSL
> SSLVerifyClient optional
> SSLVerifyDepth 2
> SSLOptions -StrictRequire +OptRenegotiate +StdEnvVars
> SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 and
> %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> # Allow any of certs, network access or basic auth
> Satisfy any
>
> # Network Access Control
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
> Allow from 199.85.99.0/24
>
> # HTTP Basic Authentication
> AuthType Basic
> AuthName "CFRQ users"
> AuthUserFile /etc/httpd/conf/passwd
> Require valid-user
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: certificate + network ACL + passwords problem?

> I think it's just the way you use allow, deny. I would have put this myself:
>
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1, 199.85.99.

Same behaviour, alas.

--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: certificate + network ACL + passwords problem?

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C26346.47ED26A0
Content-Type: text/plain


Hi,

Does anyone know what the "Challenge Passphrase" is used for when creating a
CSR ?

I know it can be used for a Verisign renewal or reissue etc...

Is there anything else?

Thanks,
Rob

------_=_NextPart_001_01C26346.47ED26A0
Content-Type: text/html

Hi,

Does anyone know what the "Challenge Passphrase" is used for when creating a CSR ?

I know it can be used for a Verisign renewal or reissue etc...

Is there anything else?

Thanks,

Rob

Re: certificate + network ACL + passwords problem?

I was once rumoured to have written:
> SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> # Allow any of certs, network access or basic auth
> Satisfy any
>
> # Network Access Control
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
> Allow from 199.85.99.0/24


FWIW, I just figured out that if I move the network access control into
the SSLRequire line, then I get my desired behaviour:

SSLRequire (( %{SSL_CIPHER_USEKEYSIZE} >= 128 \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) \
or ( %{REMOTE_ADDR} =~ m/^127\.0\.0\.1|199\.85\.99\.[0-9]+$/ ))


It's better than nothing, I guess :-)

--
Harald Koch
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org