What is a good way to determine this

I have what I think is probably an easy question to answer, but I have done
some searching and have not found anything obvious. The gist of the
question is:

I have mod_ssl running and have my entire site covered with it (there is
nothing listening on port 80). I also have .htaccess files forcing people
to log into the site. Is the username and password transaction from the
..htaccess prompt encrypted, being as it is the first thing the user logging
on is prompted to perform?

My gut feeling is, of course. I have SSL options protecting the directory
and the .htaccess file (i will include those at the end). But the reason
why I am doubting myself is the logs show me something sketchy. I have a
Custom log that shows the username and SSL environment variables of the
user logging in:

....
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat
CustomLog logs/ssl/mbsindassl.log sslformat
....

But here is the log file entry that I am worried about:
....
[27/Nov/2002:16:46:29 -0500] - --> - - - <-- GET /index.html HTTP/1.1
[27/Nov/2002:16:46:34 -0500] mbarton --> RC4-MD5 128 SSLv3 <-- GET
/index.html HTTP/1.1
....

The log file shows first the request with no username (which makes sense
because they haven't logged on yet) but the SSL environment variables are
all NULL too. So is this just a problem with the way environment variables
are reported to the log? Because it looks like there is not an SSL
connection before the user logs in!

I have verifed that SSL is up and running and working correctly for the
site with s_client.

The software I am using is:
Windows 2000
Apache 1.3.27
Mod_SSL 2.8.12
OpenSSL 0.9.6g


Here is the top-level .htaccess file
------------------------------------------------------------
AuthName "Dude, you had better be authorized"
AuthType Basic
AuthUserFile "C:/MBserver/Apache/bin/.htpasswd"

SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

require user mbarton


Here is the relevant SSL Portion of the httpd.conf file
------------------------------------------------------------ -----------------------



AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLMutex sem
SSLSessionCache dbm:logs/ssl/scache
SSLSessionCacheTimeout 400
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl/engine.log
SSLLogLevel warn



DocumentRoot "C:/MBserver/Apache/secure"
ErrorLog logs/ssl/error.log
LogLevel debug
TransferLog logs/ssl/access.log
LogLevel debug
AccessFileName .htaccess

LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p
\t%s" docscommon
LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer
LogFormat "%t \t%u \t%{User-agent}i" docsagent
LogFormat "%t \t%u \t%r" docssmall
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat

CustomLog logs/ssl/mbsinda.log docscommon
CustomLog logs/ssl/mbsindareferer.log docsreferer
CustomLog logs/ssl/mbsindaagent.log docsagent
CustomLog logs/ssl/mbsindasmall.log docssmall
CustomLog logs/ssl/mbsindassl.log sslformat

ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/"


SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLOptions +StdEnvVars +ExportCertData


SSLProtocol -all +SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2

SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt"
SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key"
SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt"
SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA"
SSLOptions +CompatEnvVars +StdEnvVars
SSLEngine on





I appreciate you guys taking a look at this,

Thanks,
Mark Barton

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: What is a good way to determine this

Hi Mark,

I use SSLFakeBasicAuth in my httpd.conf. I assumed it was encrypted because
I'm stating to use SSL but fake basic Auth. Maybe I am not understanding
SSLFakeBasicAuth? Let me know what other people say, I would appericate
that.

Thanks
Ron

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Mark Barton
Sent: Wednesday, November 27, 2002 2:32 PM
To: modssl-users@modssl.org
Subject: What is a good way to determine this


I have what I think is probably an easy question to answer, but I have done
some searching and have not found anything obvious. The gist of the
question is:

I have mod_ssl running and have my entire site covered with it (there is
nothing listening on port 80). I also have .htaccess files forcing people
to log into the site. Is the username and password transaction from the
..htaccess prompt encrypted, being as it is the first thing the user logging
on is prompted to perform?

My gut feeling is, of course. I have SSL options protecting the directory
and the .htaccess file (i will include those at the end). But the reason
why I am doubting myself is the logs show me something sketchy. I have a
Custom log that shows the username and SSL environment variables of the
user logging in:

....
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat
CustomLog logs/ssl/mbsindassl.log sslformat
....

But here is the log file entry that I am worried about:
....
[27/Nov/2002:16:46:29 -0500] - --> - - - <-- GET /index.html HTTP/1.1
[27/Nov/2002:16:46:34 -0500] mbarton --> RC4-MD5 128 SSLv3 <-- GET
/index.html HTTP/1.1
....

The log file shows first the request with no username (which makes sense
because they haven't logged on yet) but the SSL environment variables are
all NULL too. So is this just a problem with the way environment variables
are reported to the log? Because it looks like there is not an SSL
connection before the user logs in!

I have verifed that SSL is up and running and working correctly for the
site with s_client.

The software I am using is:
Windows 2000
Apache 1.3.27
Mod_SSL 2.8.12
OpenSSL 0.9.6g


Here is the top-level .htaccess file
------------------------------------------------------------
AuthName "Dude, you had better be authorized"
AuthType Basic
AuthUserFile "C:/MBserver/Apache/bin/.htpasswd"

SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

require user mbarton


Here is the relevant SSL Portion of the httpd.conf file
------------------------------------------------------------ ----------------
-------



AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLMutex sem
SSLSessionCache dbm:logs/ssl/scache
SSLSessionCacheTimeout 400
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl/engine.log
SSLLogLevel warn



DocumentRoot "C:/MBserver/Apache/secure"
ErrorLog logs/ssl/error.log
LogLevel debug
TransferLog logs/ssl/access.log
LogLevel debug
AccessFileName .htaccess

LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p
\t%s" docscommon
LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer
LogFormat "%t \t%u \t%{User-agent}i" docsagent
LogFormat "%t \t%u \t%r" docssmall
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat

CustomLog logs/ssl/mbsinda.log docscommon
CustomLog logs/ssl/mbsindareferer.log docsreferer
CustomLog logs/ssl/mbsindaagent.log docsagent
CustomLog logs/ssl/mbsindasmall.log docssmall
CustomLog logs/ssl/mbsindassl.log sslformat

ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/"


SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLOptions +StdEnvVars +ExportCertData


SSLProtocol -all +SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2

SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt"
SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key"
SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt"
SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA"
SSLOptions +CompatEnvVars +StdEnvVars
SSLEngine on





I appreciate you guys taking a look at this,

Thanks,
Mark Barton

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: What is a good way to determine this

Yes, it is encrypted. The process is as follows:

Browser connects and handshakes the SSL encryption level (with the obvious
key checks). The connection is then encrypted.
Browser sends GET request to server
Server sends authorisation request
Browser sends "Authorization:" header which IIRC is a base64 encoding of the
username and password (which is basically plain text, encrypted via SSL).
The page or data is returned if the connection is authorised.

So the logs are correct, as the GET request is sent without the
authorization header. What is confusing is that most browsers do not show a
padlock until after you send it (this isn't that difficult to fix, is it?).

It could be argued that this method may be more "hackable" than putting a
login somewhere in the page (eg RedHat Network at https://rhn.redhat.com),
but I don't particularly want to go there.

We have a server internally that gives you the wrong pages if you proxy the
Authorization header, so I had someone produce a patch to prevent the
proxying of the Authorization header.

I realise I haven't answered the specific question as to why the log doesn't
show the SSL encryption level. Perhaps the server writes this entry before
the SSL handshaking completes? (I'd have to look in the source).

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org