SSL Client Auth with Virtual Hosts

=20

Does anybody know if it is possible to use virtual hosts with one
virtual host with ssl client authentication, but the other one without?

Example:=20

NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache none

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Client Auth with Virtual Hosts

Yes, I've had an environment like that running.

/Daniel

----- Original Message -----
From: "Hoda Nadeem"
To:
Sent: Tuesday, May 31, 2005 6:05 PM
Subject: SSL Client Auth with Virtual Hosts




Does anybody know if it is possible to use virtual hosts with one
virtual host with ssl client authentication, but the other one without?

Example:

NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache none

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL Client Auth with Virtual Hosts

Are there any parameters that I am missing, or am I doing something
incorrect?

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.

Thanks.=20

Nadeem

Example again:

NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData




-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Daniel Kimblad
Sent: Thursday, June 02, 2005 8:50 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts

Yes, I've had an environment like that running.

/Daniel

----- Original Message -----
From: "Hoda Nadeem"
To:
Sent: Tuesday, May 31, 2005 6:05 PM
Subject: SSL Client Auth with Virtual Hosts




Does anybody know if it is possible to use virtual hosts with one
virtual host with ssl client authentication, but the other one without?

Example:=20

NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache none

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Client Auth with Virtual Hosts

I'm not a guru but I would suspect that your NameVirtualHost
directives need to differ. You probably need to configure the
virtual hosts using their domain names, like this:
------------------------------------------------------------

NameVirtualHost abc1-no-client-auth.com:443

...


NameVirtualHost abc1-ssl-client-auth.com:443

...


------------------------------------------------------------
Otherwise I think one will just overwrite the other.
Also for MSIE compatibility it is recommended that you add
the following to the virtual host configuration:
------------------------------------------------------------

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

------------------------------------------------------------
Hope this was helpful.

/Daniel

----- Original Message -----
From: "Hoda Nadeem"
To:
Sent: Thursday, June 02, 2005 3:26 PM
Subject: RE: SSL Client Auth with Virtual Hosts


Are there any parameters that I am missing, or am I doing something
incorrect?

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.

Thanks.

Nadeem

Example again:

NameVirtualHost 111.111.111.111:443


ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> On my setup, client authentication is either on or off globally. I can't
> seem to isolate it at the virtual host level.

Exactly.

Take a look at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts,
use a different IP for your second host and it will work.

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL Client Auth with Virtual Hosts

Eckard and All,=20

Does anybody know if there is any work around to get the following
scenario to work?

1 IP Address
2 domain names attached to the same server IP address
2 SSL virtual hosts: 1 with client authentication, 1 without client
authentication

I need to try to avoid using a second IP address for the same server.
Some folks are insisting that there must be a way to get the scenario to
work.

Any help is appreciated,=20

Thanks.=20

Nadeem

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Eckard Wille
Sent: Thursday, June 02, 2005 10:34 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> On my setup, client authentication is either on or off globally. I=20
> can't seem to isolate it at the virtual host level.

Exactly.

Take a look at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts,
use a different IP for your second host and it will work.

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> Eckard and All,
>
> Does anybody know if there is any work around to get the following
> scenario to work?
>
> 1 IP Address
> 2 domain names attached to the same server IP address
> 2 SSL virtual hosts: 1 with client authentication, 1 without client
> authentication
>
> I need to try to avoid using a second IP address for the same server.
> Some folks are insisting that there must be a way to get the scenario to
> work.

Hi,

maybe you should reach your goal with some mod_rewrite tricks. The
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
are still valid, only one vhost per ip. You could give mod_rewrite a
try to push clients to different directories which are configured for
secure and public ssl access.

Try something like this:

ServerName www.vhost1.com
ServerAlias www.vhost2.com

SSLEngine on
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt


SSLVerifyClient require
SSLVerifyDepth 1


RewriteEngine on
#RewriteLogLevel 7
#RewriteLog logs/RewriteLog
#RewriteCond %{SERVER_NAME}
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/securedir [R,L]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/public [R,L]

This would just be a starting switch, modify the regexp to push all
desired content into the matching secure location (see
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did
not try this, but if this does not work maybe mod_setenvif can be used
to distinguish the different names.

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL Client Auth with Virtual Hosts

A team member was able to find a working solution (issue: single IP, two
domains, one domain requires client auth, the other domain plain SSL,
both functional with same apache instance using virtual hosts):

NameVirtualHost :443

:443>

ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName =20
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
=20
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
=20
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
=20

SSLVerifyClient require
SSLVerifyDepth 5=20
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate




:443>

ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
=20
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
=20
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



=20

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Eckard Wille
Sent: Tuesday, June 14, 2005 3:06 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> Eckard and All,
>=20
> Does anybody know if there is any work around to get the following=20
> scenario to work?
>=20
> 1 IP Address
> 2 domain names attached to the same server IP address
> 2 SSL virtual hosts: 1 with client authentication, 1 without client=20
> authentication
>=20
> I need to try to avoid using a second IP address for the same server.
> Some folks are insisting that there must be a way to get the scenario=20
> to work.

Hi,

maybe you should reach your goal with some mod_rewrite tricks. The
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
are still valid, only one vhost per ip. You could give mod_rewrite a try
to push clients to different directories which are configured for secure
and public ssl access.

Try something like this:

ServerName www.vhost1.com
ServerAlias www.vhost2.com

SSLEngine on
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt


SSLVerifyClient require
SSLVerifyDepth 1


RewriteEngine on
#RewriteLogLevel 7
#RewriteLog logs/RewriteLog
#RewriteCond %{SERVER_NAME}
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/securedir [R,L]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/public [R,L]

This would just be a starting switch, modify the regexp to push all
desired content into the matching secure location (see
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did
not try this, but if this does not work maybe mod_setenvif can be used
to distinguish the different names.

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> A team member was able to find a working solution (issue: single IP, two
> domains, one domain requires client auth, the other domain plain SSL,
> both functional with same apache instance using virtual hosts):

Hi Hoda,

test the following:

Close all browsers to get a new clean session (start new IE). Use a
browser with definitely no included user cert (sometimes free
email-certs are also enabled for client authentification, backup and
remove). Visit your second defined . Asking for an user cert?

According to your setup all request can go to only one of the
configured vhost, do some more test with clean browsers (=> close your
browsers after each test to ensure the session is really closed). To
ensure you are on the right vhost it would make sense to use different
docroots with different content showing right away where you are hitting.

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org