LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-20-2012, 09:18 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
Apache : require ssl-certificate to access https-server


Hello,

I notice that when browsing to a https-server with a self-created CA and certificate, the server certificate is offered to the browser for importing.

Adding the certificate with a simple mouse click and you have access.

Can it be forced in apache config that this self-signed certificate is NOT offered to the browser and that there can only be access to the https-server when this certificate was first manually imported into the browser ??

So everyone who does not have the certificate, has no access to the https-webserver and its directories.

Possible ?
 
Old 12-20-2012, 09:28 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
You seem to be mixing up client and server certs here. What you seem to want doesn't make sense. a server will never offer you a client cert, you offer it to the server. and a server must always provide its cert to any client, that's the basis for SSL working at any level.
 
Old 12-20-2012, 09:44 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Thanks for your answer.

You say : "you offer it to the server"

Then the only way to not allow connection is to work with client certificates and the configuration options :

SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1


But the https-server will always offer its certificate to anyone who wants a connection ? OK then ! Hadn't really understood it that way.
 
Old 12-20-2012, 09:53 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Well yes the solution you appear to be working towards would require validation of client certificates, but as with the other threads you've started about this, I really would question whether it's really an appropriate solution for your needs. Why are you not just using a username and password?
 
Old 12-20-2012, 10:02 AM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Well to be honest, I want to setup a provisioning server with configuration files. Never thought this information was really needed to help me.

I'm testing authorisation to directories via my Firefox web browser (because that's the easy way to quickly test a configuration)

Some users/devices need access to certain directories where other users/devices may not have access to.

That's the whole story.

User/password via .htaccess is my option... but only if the certificate-setup would not meet my needs.
(because I think certificates are safer than user/passwd)
 
Old 12-20-2012, 10:07 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
sure a client cert is generally going to be seen to be safer, if it's manageable. There are plenty of scenarios where it's not though. you have to load a cert into a browser, and then remove it. You don't need to "remove" a password, so there's nothing left behind if you just get up and walk away.

So on the client cert solution, is there something fundamentally not clicking? Your first post above just doesn't fit in with the architecture of client cert authentication, so maybe there's something in the theory side of things we can clear up?
 
1 members found this post helpful.
Old 12-20-2012, 10:12 AM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I was in the assumption that I could place ssl-certificates on the devices that are authorised to get configuration files from the https-server.

Everyone who has nothing to search at the https-server needs to be rejected every connection-attempt.

So there are only 2 scenario's :
1. you have a certificate to authorize yourself to the https-server. That's OK !
or
2. you don't have a certificate and the server rejects your attempt
 
Old 12-20-2012, 12:44 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well yes, that's correct, but you get rejected at the middle stage of the SSL handshake, not immediately. You won't ever get an HTTP request through though, whether you provide your server cert or not. The client cert is validated before the encrypted channel begins (AFAIR) so it's still fairly early. you would still use the SSLClientVerify config option the ensure that the client cert IS provided. as well as requiring a cert, you would the also filter the permitted certs, probably with the SSL_CLIENT_S_DN variable, which is the name of the client cert.

http://it.toolbox.com/blogs/security...ificates-11500
 
Old 12-21-2012, 03:37 AM   #9
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Just 1 more question to clear my head : it is correct to say that even when the https-server offers its ssl-certificate for the client (example browser) to add, the connection will be encodec and secure ?
 
Old 12-21-2012, 03:44 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
not following you there. The client cert is ONLY used for identification, not encrpytion, so at a cryptographic level, HTTPS is just as secure with or without the client certificate.
 
Old 12-21-2012, 05:39 AM   #11
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I agree, with or without the client certificate.

But I'm talking here about the server certificate, which is by default offered to the client (example Firefox browser). I am right when saying that by adding this offered server certificate to the browser (as being asked to do by Firefox) the connection is encrypted ?
 
Old 12-21-2012, 06:39 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
yes, the server certificate is the basis for the encrypted session.
 
Old 12-21-2012, 02:20 PM   #13
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
OK, then I can be sure that at least the connection is securely encrypted.

For authentication/authorisation, I still need to get my story straight.
 
Old 12-22-2012, 04:57 PM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
encrpytion strength and auth / auth really have nothing in common (even if they both use SSL), divorce the two things and work on them indendently
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Apache: http and https (ssl) no access eRJe Linux - Server 7 09-30-2010 05:39 PM
Sharing https 443 port for apache ssl and ssh server nx5000 Linux - Software 8 09-02-2009 07:19 AM
SSL Certificate and PKI question, secure HTTPS connection, mail encription Rostfrei Linux - Security 2 07-28-2008 03:20 AM
https SSL Certificate Expired lothario Linux - Security 1 01-19-2005 10:42 PM
2 certificate ssl in 1 server apache simquest Linux - Software 2 07-24-2002 12:47 PM


All times are GMT -5. The time now is 08:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration