Client Authentication and Access Control

Client Authentication and Access Control

am 03.06.2005 08:56:56 von somme

Hi.

I have read the instructions at:

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

and successfully set up a web server which runs HTTPS and requires
client certificates for authentication.

However, I am not 100% pleased with neither of the *two* methods. What I
dislike is the *user-id* part of the information that is stored in the
access log:

Method 1 (mod_auth):

The user-id field is a string converted from the *full* subject DN in the
client certificate which in my case (with Verisign class 1 certificates)
are typically 230 chars long!

Method 2 (SSLRequire):

The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?


One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile
is:

mygroup: user-id1 user-id2 user-id3

i.e. using space as a separator. The user-id produced in method 1 above
contains a lot of spaces. How can this work? Using quotes?

Thanks.

Oyvin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client Authentication and Access Control

am 03.06.2005 09:47:46 von Joe Orton

On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote:
> Method 2 (SSLRequire):
>=20
> The user-id field is just '-'.
>=20
> Can I somehow configure apache/mod_ssl to only store certain elements o=
f
> the DN (e.g. the CN in the DN) as the user-id in the access-log?

mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
this:

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client Authentication and Access Control

am 14.06.2005 14:24:12 von somme

Joe Orton wrote:
> On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote:
>=20
>>Method 2 (SSLRequire):
>>
>> The user-id field is just '-'.
>>
>>Can I somehow configure apache/mod_ssl to only store certain elements o=
f
>>the DN (e.g. the CN in the DN) as the user-id in the access-log?
>=20
>=20
> mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
> this:
>=20
> http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e
>=20
> Regards,
>=20
> joe
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

Thanks for a very good suggestion. Seems to be just what I need.
So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
inside the context. This resulted in *no*
change in my log files, the user-id field was still '-'.

Any idea why it didn't work?


Regards
Øyvin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client Authentication and Access Control

am 14.06.2005 16:28:52 von somme

Øyvin Sømme wrote:
> Joe Orton wrote:
>=20
>> On Fri, Jun 03, 2005 at 08:56:56AM +0200, Øyvin Sømme wrote:
>>
>>> Method 2 (SSLRequire):
>>>
>>> The user-id field is just '-'.
>>>
>>> Can I somehow configure apache/mod_ssl to only store certain elements=
of
>>> the DN (e.g. the CN in the DN) as the user-id in the access-log?
>>
>>
>>
>> mod_ssl in httpd 2.0 supports the "SSLUsername" directive which allows
>> this:
>>
>> http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslusernam e
>>
>> Regards,
>>
>> joe
>=20
>=20
> Thanks for a very good suggestion. Seems to be just what I need.
> So I tried to use the directive 'SSLUserName SSL_CLIENT_S_DN_CN'
> inside the context. This resulted in *no*
> change in my log files, the user-id field was still '-'.
>=20
> Any idea why it didn't work?
>=20
>=20
> Regards
> Øyvin


I found out the issue: I cannot use 'SSLOptions +FakeBasicAuth' together =
with 'SSLUserName xxx'
(not documented anywhere).

Regards.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org