Client certificate authentication on tunneling proxy

Client certificate authentication on tunneling proxy

am 21.01.2010 02:35:41 von Andrei T

Hi,

I am trying to figure out if it is possible to configure Apache (any
version) so that it would work as a tunneling proxy for HTTPS servers
such that it would also verify the client certificates used to access
those servers. The goal is to protect servers on the internal network
from unauthorized access (even if the certificate check on the target
server fails and connection will be broken).

I tried configuring HTTPS virtual host on Apache so that it accepts
proxy tunneling requests and the server starts up fine, but it fails to
handle the CONNECT requests. The connection just closes with no error
appearing in the apache log.

I used telnet-ssl to connect to Apache and passed the following request:
CONNECT target-server:80 HTTP/1.1
Host: target-server:80

The same worked fine when I connected to Apache through plain HTTP.

The Apache 2.2.8 (OpenSUSE 11.0) config I am using is:


ProxyRequests On
AllowCONNECT 443 80

ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
CustomLog /var/log/apache2/ssl_request_log ssl_combined

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key


Any help would be appreciated.

Thanks,
--
Andrei T

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Client certificate authentication on tunneling

am 21.01.2010 07:35:17 von Igor Cicimov

--0016e64ec1a20113df047da6e8b2
Content-Type: text/plain; charset=ISO-8859-1

So you are trying to connect to port 80 on the server not 443? The SSL host
listens to 443 so what do you expect to happen when you connect to port 80
as shown in your test? Have you redirected the port 80 to 443 in your
configuration or what? You have also mentioned client certificates so have
you tried importing that certificate in some browser and test the
connection?


On Thu, Jan 21, 2010 at 12:35 PM, Andrei T wrote:

> Hi,
>
> I am trying to figure out if it is possible to configure Apache (any
> version) so that it would work as a tunneling proxy for HTTPS servers such
> that it would also verify the client certificates used to access those
> servers. The goal is to protect servers on the internal network from
> unauthorized access (even if the certificate check on the target server
> fails and connection will be broken).
>
> I tried configuring HTTPS virtual host on Apache so that it accepts proxy
> tunneling requests and the server starts up fine, but it fails to handle the
> CONNECT requests. The connection just closes with no error appearing in the
> apache log.
>
> I used telnet-ssl to connect to Apache and passed the following request:
> CONNECT target-server:80 HTTP/1.1
> Host: target-server:80
>
> The same worked fine when I connected to Apache through plain HTTP.
>
> The Apache 2.2.8 (OpenSUSE 11.0) config I am using is:
>
>
> ProxyRequests On
> AllowCONNECT 443 80
>
> ErrorLog /var/log/apache2/error_log
> TransferLog /var/log/apache2/access_log
> CustomLog /var/log/apache2/ssl_request_log ssl_combined
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> SSLCertificateFile /etc/apache2/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
>
>
> Any help would be appreciated.
>
> Thanks,
> --
> Andrei T
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--0016e64ec1a20113df047da6e8b2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

So you are trying to connect to port 80 on the server not 443? The SSL host=
listens to 443 so what do you expect to happen when you connect to port 80=
as shown in your test? Have you redirected the port 80 to 443 in your conf=
iguration or what? You have also mentioned client certificates so have you =
tried importing that certificate in some browser and test the connection? r>


On Thu, Jan 21, 2010 at 12:35 PM, Andrei=
T <magistrator@=
hot.ee> wrote:
border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; paddi=
ng-left: 1ex;">
Hi,



I am trying to figure out if it is possible to configure Apache (any versio=
n) so that it would work as a tunneling proxy for HTTPS servers such that i=
t would also verify the client certificates used to access those servers. T=
he goal is to protect servers on the internal network from unauthorized acc=
ess (even if the certificate check on the target server fails and connectio=
n will be broken).




I tried configuring HTTPS virtual host on Apache so that it accepts proxy t=
unneling requests and the server starts up fine, but it fails to handle the=
CONNECT requests. The connection just closes with no error appearing in th=
e apache log.




I used telnet-ssl to connect to Apache and passed the following request: >
CONNECT target-server:80 HTTP/1.1

Host: target-server:80



The same worked fine when I connected to Apache through plain HTTP.



The Apache 2.2.8 (OpenSUSE 11.0) config I am using is:



<VirtualHost _default_:443>

=A0 =A0 =A0 =A0ProxyRequests On

=A0 =A0 =A0 =A0AllowCONNECT 443 80



=A0 =A0 =A0 =A0ErrorLog /var/log/apache2/error_log

=A0 =A0 =A0 =A0TransferLog /var/log/apache2/access_log

=A0 =A0 =A0 =A0CustomLog /var/log/apache2/ssl_request_log =A0 ssl_combined=




=A0 =A0 =A0 =A0SSLEngine on

=A0 =A0 =A0 =A0SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LO=
W:+SSLv2:+EXP:+eNULL

=A0 =A0 =A0 =A0SSLCertificateFile /etc/apache2/ssl.crt/server.crt

=A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

</VirtualHost>



Any help would be appreciated.



Thanks,

--

Andrei T



------------------------------------------------------------ ---------

The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL: lank">http://httpd.apache.org/userslist.html> for more info.

To unsubscribe, e-mail: g" target=3D"_blank">users-unsubscribe@httpd.apache.org

=A0" =A0 from the digest: httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.o=
rg

For additional commands, e-mail: org" target=3D"_blank">users-help@httpd.apache.org






--0016e64ec1a20113df047da6e8b2--

Re: Client certificate authentication on tunneling proxy

am 21.01.2010 08:33:56 von Andrei T

Igor Cicimov wrote:
> So you are trying to connect to port 80 on the server not 443? The SSL
> host listens to 443 so what do you expect to happen when you connect to
> port 80 as shown in your test? Have you redirected the port 80 to 443 in
> your configuration or what?

I am trying to connect to apache through SSL (port 443) and tell it to
create a tunnel to some other server listening on port 80. I tried the
same for target port 443 as well. The actual protocol between client and
target is not important - I want apache to establish a tunnel. This
works well when apache is running in plain HTTP (not HTTPS) mode.
http://en.wikipedia.org/wiki/HTTP_tunnel

> You have also mentioned client certificates
> so have you tried importing that certificate in some browser and test
> the connection?

I have not tried fiddling with client certificates yet. There is no
point in trying it if apache is not working even without them. My
understanding that client certificate verification is possible only
through an SSL connection. That's why I am trying to make apache run in
HTTPS mode for proxying.

>
>
> On Thu, Jan 21, 2010 at 12:35 PM, Andrei T > > wrote:
>
> Hi,
>
> I am trying to figure out if it is possible to configure Apache (any
> version) so that it would work as a tunneling proxy for HTTPS
> servers such that it would also verify the client certificates used
> to access those servers. The goal is to protect servers on the
> internal network from unauthorized access (even if the certificate
> check on the target server fails and connection will be broken).
>
> I tried configuring HTTPS virtual host on Apache so that it accepts
> proxy tunneling requests and the server starts up fine, but it fails
> to handle the CONNECT requests. The connection just closes with no
> error appearing in the apache log.
>
> I used telnet-ssl to connect to Apache and passed the following request:
> CONNECT target-server:80 HTTP/1.1
> Host: target-server:80
>
> The same worked fine when I connected to Apache through plain HTTP.
>
> The Apache 2.2.8 (OpenSUSE 11.0) config I am using is:
>
>
> ProxyRequests On
> AllowCONNECT 443 80
>
> ErrorLog /var/log/apache2/error_log
> TransferLog /var/log/apache2/access_log
> CustomLog /var/log/apache2/ssl_request_log ssl_combined
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> SSLCertificateFile /etc/apache2/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
>
>
> Any help would be appreciated.
>
> Thanks,
> --
> Andrei T
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Client certificate authentication on tunneling

am 27.01.2010 17:19:38 von Matus UHLAR - fantomas

> Igor Cicimov wrote:
>> So you are trying to connect to port 80 on the server not 443? The SSL
>> host listens to 443 so what do you expect to happen when you connect to
>> port 80 as shown in your test? Have you redirected the port 80 to 443
>> in your configuration or what?

On 21.01.10 18:33, Andrei T wrote:
> I am trying to connect to apache through SSL (port 443) and tell it to
> create a tunnel to some other server listening on port 80.

why a tunnel? Who would create the tunnel? While It's possible, I don't know
of any browser that could do that.

>> You have also mentioned client certificates so have you tried importing
>> that certificate in some browser and test the connection?

> I have not tried fiddling with client certificates yet. There is no
> point in trying it if apache is not working even without them. My
> understanding that client certificate verification is possible only
> through an SSL connection. That's why I am trying to make apache run in
> HTTPS mode for proxying.

You can configure apache so that it would behave as proxy, https on
receiving side with client certificate verification and proxying to another
tunnels. Client would think that your apachs is the server.

You also could configure apache as proxy accessible through https (but
clients afaik don't support https proxy) and configure clients to use this
apache as proxy. But they would not issue CONNECT to port 80.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Client certificate authentication on tunnelingproxy

am 28.01.2010 09:16:26 von Andrei T

Matus UHLAR - fantomas wrote:
> On 21.01.10 18:33, Andrei T wrote:
>> I am trying to connect to apache through SSL (port 443) and tell it to
>> create a tunnel to some other server listening on port 80.
>
> why a tunnel? Who would create the tunnel? While It's possible, I don't know
> of any browser that could do that.

This setup is not intended to be used by browsers. Instead a specially
crafted client code will be dealing with that.

>> I have not tried fiddling with client certificates yet. There is no
>> point in trying it if apache is not working even without them. My
>> understanding that client certificate verification is possible only
>> through an SSL connection. That's why I am trying to make apache run in
>> HTTPS mode for proxying.
>
> You can configure apache so that it would behave as proxy, https on
> receiving side with client certificate verification and proxying to another
> tunnels. Client would think that your apachs is the server.

If I understand correctly you are suggesting that client connects to
apache (through HTTPS) and then apache establishes a separate HTTPS
connection to the real target server?

The downside of this approach is that the target server and client do
not see (verify) each other and the proxy becomes a sweat target: anyone
taking over it would be able to talk to clients and target server and
see all the traffic.

> You also could configure apache as proxy accessible through https (but
> clients afaik don't support https proxy) and configure clients to use this
> apache as proxy. But they would not issue CONNECT to port 80.

I tried configuring apache as a tunneling proxy through https, but in
this scenario apache would not recognize the CONNECT request and would
not establish a tunnel to the target server.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Client certificate authentication on tunnelingproxy

am 28.01.2010 09:55:34 von Andrei T

Andrei T wrote:
>
> I tried configuring apache as a tunneling proxy through https, but in
> this scenario apache would not recognize the CONNECT request and would
> not establish a tunnel to the target server.

I actually found that this is a known issue with apache:
https://issues.apache.org/bugzilla/show_bug.cgi?id=29744

Should have browsed bugzilla more thoroughly... :-)


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Client certificate authentication on tunneling

am 28.01.2010 11:38:51 von Matus UHLAR - fantomas

>> On 21.01.10 18:33, Andrei T wrote:
>>> I am trying to connect to apache through SSL (port 443) and tell it
>>> to create a tunnel to some other server listening on port 80.

> Matus UHLAR - fantomas wrote:
>> why a tunnel? Who would create the tunnel? While It's possible, I don't
>> know of any browser that could do that.

On 28.01.10 19:16, Andrei T wrote:
> This setup is not intended to be used by browsers. Instead a specially
> crafted client code will be dealing with that.

I wonder why to have this setup at all.

>>> I have not tried fiddling with client certificates yet. There is no
>>> point in trying it if apache is not working even without them. My
>>> understanding that client certificate verification is possible only
>>> through an SSL connection. That's why I am trying to make apache run
>>> in HTTPS mode for proxying.

>> You can configure apache so that it would behave as proxy, https on
>> receiving side with client certificate verification and proxying to another
>> tunnels. Client would think that your apachs is the server.

> If I understand correctly you are suggesting that client connects to
> apache (through HTTPS) and then apache establishes a separate HTTPS
> connection to the real target server?
>
> The downside of this approach is that the target server and client do
> not see (verify) each other and the proxy becomes a sweat target: anyone
> taking over it would be able to talk to clients and target server and
> see all the traffic.

yes. but that's mostly common when using proxy. You want to use the proxy
through HTTPS and talk to the destination server via https?
do you need the proxy in the middle? Why can't you connect to it through
HTTP if you'll tunnel https through?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org