LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 04-21-2008, 10:13 AM   #1
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Rep: Reputation: 31
What is 2-way SSL and the difference between one and two way


Hi

Ive been setting up SSL certificates for a while (standard SSL and wildcards), but now i need to set up some two-way SSL certificates. Im not asking for that someone should explain all about what the differences between one and two-way SSL are, but does someone have a great/good guide that explains what it is and maybe how to set it up? Its going to be used with apache. All help is appericiated as always.

Last edited by exceed1; 04-21-2008 at 10:15 AM.
 
Old 04-21-2008, 10:29 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well google has plenty of hits, some interesting looking PDF docs there

http://www.google.co.uk/search?hl=en...G=Search&meta=

Also the standard apache howto's are useful... http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Last edited by acid_kewpie; 04-21-2008 at 10:31 AM.
 
Old 04-22-2008, 04:28 AM   #3
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Original Poster
Rep: Reputation: 31
Thank you for spending your time answering, but did you really think that i didnt google first? Do i always have to type in the first post that i have been googling? I see that there are some very minimal explainations of what two-way ssl (yes there are a lot more, but thats pretty much on regular ssl or two-way with use in app. servers) are in the results (and yes, ive tried serveral search terms) and that wont give me a full understanding of it..but i could probably use that..but the problem is that i cant find any _good_ guide or a guide at all about how to setup two-way ssl from scatch. I mean, do you order it the same way like a regular standard ssl certificate ..and if you have to order it like a regular certificate..where do you go from there.. whats different.. im kinda looking for a guide that _explains_ and wants you to _understand_
 
Old 04-22-2008, 05:40 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well you said you wanted some guides so i pointed you to some guides... within apache it's pretty trivial to configure a client side certificate requirement... There's no specific "two way" setup, it's just multiple things which work in isolation to each other. Again, another guide which seems to cover it all off pretty well... http://blogs.ittoolbox.com/security/...ificates-11500 do you have specific questions here?
 
Old 04-23-2008, 10:26 AM   #5
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Original Poster
Rep: Reputation: 31
Yea, well, thanks for the link, but in the comments on that page they say that the article contains serveral errors and i dont understand what this have to do with "two-way ssl" since he seems to only be talking about regular ssl stuff.

- I am again asking this question since it havent been answered and this was what i wondering (see topic of the thread).. what is the difference between a regular and a two-way certiifcate?
- When setting up a two-way certificate, do you then buy a regular certificate at fex. Thawte and install that?
- Is a regular ssl certificate and a two-way certificate only different when it comes to fex. the configuration of apache?
- Could you explain why someone would want a two-way certificate compared to a regular ?

What two-way certificates is seems to be covered poorly pretty much everywhere.

Last edited by exceed1; 04-23-2008 at 10:28 AM.
 
Old 04-23-2008, 10:43 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
ok, getting threads crossed... I read the title but your thread then said "i'm not asking for someone to explain the differences..."

anyway.

There is no such thing as a two way SSL certificate. There are two certificates involved, but they are essentially seperate. It's only the overall solution and concept that is two way. witin raw config there are two isolated parts - serverside ssl and clientside ssl. If i may, i think your views on the documentation of this being vague is that, as above, in itself it's not a real thing, just a combination of things. And i've not heard of "fex" before... who's or what's that?

In terms of motiviation, it's about knowing who your client is to a certain level. Where I work we have an wholesale ISP to whom we report ADSL faults. in order for us to access the site at all we need to provide them with one of their signed certificates in order to prove that we are who we say we are to a given level of confidence. This goes well against the logic of something like a public IP being allowed access. often a private website online will only allow known customer IP addresses to connect to them, but that can be a horrible mess to administer, so instead they can say to customers like us that when we go to their site we must provide them with a valid certificate that they trust, irrespective of where they are. many many other examples of course, but that's one i deal with every day. It's also very common for clustered systems, SOAP/XML interchanges happening over apache, to require both parties involved to require a certificate to ensure mutual trust.
 
Old 04-24-2008, 08:10 AM   #7
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Original Poster
Rep: Reputation: 31
Ok, that made it a little clearer

When it comes to what "fex" means, its just a shortname for the word "for example".

So if i understand you correctly, then you have a server that is secured with a regular certificate and you have the client that must use a certificate to authenticate against the server, right? If what im saying here is true, then what kind of certificate is used by the client, is it a self-signed certificate or a certificate bought from a certificate authority (CA) ? ..And how do you authenticate to the server using your client certificate, do you have the certificate installed in the browser..
 
Old 04-24-2008, 08:34 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
it's whatever certificate that is deemed suitable for the situation. note that there's nothing special about a Thawte certificate in terms of technology, they were simply given implicit trust by much of the security industry. Who's to say you are any less honest then them? maybe you are the one to say that, in which case your systems are free to be configured to accept your signed certificates as well as (or maybe even instead of) commerically signed on.
 
Old 04-24-2008, 09:44 AM   #9
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Original Poster
Rep: Reputation: 31
Ok, thanks for the quick reply. How does the client authenticate with the server if its for example a webserver, is the certificate installed in the clients browser ?
 
Old 04-24-2008, 09:45 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Yes, you tend to get a popup box saying that the server is requesting a certificate and wants you to choose which one to send it. if you have no certificate, it'll usually just fail silently with a server error.
 
Old 04-24-2008, 10:22 AM   #11
exceed1
Member
 
Registered: Mar 2008
Location: oslo
Distribution: debian,redhat
Posts: 199

Original Poster
Rep: Reputation: 31
Thanks for your help with this problem acid_kewpie
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shell script to find the difference betwwn two file and place the difference to other kittunot4u Linux - General 3 07-19-2010 05:26 AM
vsFTPd - SSL connection and dynamic SSL ports toxoplasme Linux - Server 11 08-22-2008 11:50 PM
creating an SSL page under non SSL site with apache1.33? taiwf Linux - Software 1 06-27-2006 02:06 AM
SSL Connections / second and SSL Accelerator Cards on Linux LinuxGeek Linux - Networking 0 06-10-2006 09:18 AM
need help with apach virtual hosts ssl/non ssl sites danthach Linux - Networking 3 05-25-2006 07:40 AM


All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration