SSLProxy* directives

Hello,

I have discovered some strange behavior using mod_proxy with SSL Client
Authentication.

We are talking about the following scenario:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server

Let's have a look at the second part of the connection:
Component: mod_proxy --- Web Server
SSL Role: SSL Client --- SSL Server

In my scenario the Web server requires a SSL Client Certificate from
mod_proxy.

I figured out that providing both, client certificate and private key, in a
file referenced by SSLProxyMachineCertificateFile makes this scenario
working.


This brings up some questions to me:

Why aren't there two options like SSLProxyMachineCertificateFile,
SSLProxyMachineKeyFile for separated certificate and key files?

Is there a way to provide several certificate/key pairs?

The Apache documentation (www.apache.org) describes SSLProxy* as part of
mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org?
(Probably Ralf Engelschall can explain this.)

Is this Apache 2.0 feature available in Apache 1.3 too?

I think the current documentation of SSLProxyMachineCertificateFile is at
least misleading.

Regards,
Maik
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLProxy* directives

Hi,

On Tue, Oct 15, 2002 at 06:16:07PM +0200, Maik Mueller wrote:
> This brings up some questions to me:
>
> Why aren't there two options like SSLProxyMachineCertificateFile,
> SSLProxyMachineKeyFile for separated certificate and key files?
>
> Is there a way to provide several certificate/key pairs?

Yes, you can either put several key pairs in the file referenced by
SSLProxyMachineCertificateFile, or you can use a directory of files
(each containing a key pair) with SSLProxyMachineCertificatePath; all
files in the specified directory are loaded.

If you have configured the origin server to send a list of CA names in
the client certificate request, mod_ssl will then try to pick an
appropriate client cert which was issued by one of the CA names it
receives. (there are some useful debugging messages at "SSLLogLevel
debug")

> The Apache documentation (www.apache.org) describes SSLProxy* as part of
> mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org?
> (Probably Ralf Engelschall can explain this.)
>
> Is this Apache 2.0 feature available in Apache 1.3 too?

Yep, these directives work in mod_ssl/2.8 for Apache 1.3, though were
never documented.

> I think the current documentation of SSLProxyMachineCertificateFile is at
> least misleading.

Yes, it's been cut'n'pasted badly; you could report a documentation bug
on that at http://nagoya.apache.org/bugzilla/

Regards,

joe

--
Joe Orton, Red Hat Europe, Stronghold Engineering
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLProxy* directives

> The Apache documentation (www.apache.org) describes SSLProxy* as part of
> mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org?
> (Probably Ralf Engelschall can explain this.)

Because nobody wrote it :( I was the one who wrote it for Apache 2, based
on some stuff we had for Covalent SSL

> Is this Apache 2.0 feature available in Apache 1.3 too?

I think so, you need to compile with SSL_EXPERIMENTAL flag. But I do not
think it worked very well Doug MacEachern rewrote a big part of it to work
more cleanly in Apache 2.0

> I think the current documentation of SSLProxyMachineCertificateFile is at
> least misleading.

Please correct and submit a patch to docs@httpd.apache.org :)

Cheers

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLProxy* directives

On Tue, Oct 15, 2002 at 12:07:56PM -0700, Daniel Lopez wrote:
>
> > The Apache documentation (www.apache.org) describes SSLProxy* as part of
> > mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org?
> > (Probably Ralf Engelschall can explain this.)
>
> Because nobody wrote it :( I was the one who wrote it for Apache 2, based
> on some stuff we had for Covalent SSL
>
> > Is this Apache 2.0 feature available in Apache 1.3 too?
>
> I think so, you need to compile with SSL_EXPERIMENTAL flag. But I do not
> think it worked very well Doug MacEachern rewrote a big part of it to work
> more cleanly in Apache 2.0

AFAICT the handling of client certs was not functionally changed at all
in 2.0, though yes, it has been massively cleaned up (using sensible
variable names rather than random collections of letters and all that
lovely stuff ;).

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org