mirror of
				https://github.com/apache/httpd.git
				synced 2025-10-25 21:57:48 +03:00 
			
		
		
		
	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96194 13f79535-47bb-0310-9956-ffa450edef68
		
			
				
	
	
		
			639 lines
		
	
	
		
			33 KiB
		
	
	
	
		
			HTML
		
	
	
	
	
	
			
		
		
	
	
			639 lines
		
	
	
		
			33 KiB
		
	
	
	
		
			HTML
		
	
	
	
	
	
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 | |
|     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 | |
| 
 | |
| <html xmlns="http://www.w3.org/1999/xhtml">
 | |
|   <head>
 | |
| <title>Apache SSL/TLS Encryption: How-To</title>
 | |
| <style type="text/css"><!--
 | |
| #H {
 | |
| }
 | |
| #D {
 | |
|     background-color: #f0f0f0;
 | |
| }
 | |
| --></style>
 | |
| </head>
 | |
| 
 | |
| <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> 
 | |
| <!--#include virtual="header.html" -->
 | |
| 
 | |
| <h1 align="center">SSL/TLS Strong Encryption: How-To</h1>
 | |
| 
 | |
| 
 | |
| <div align="right">
 | |
| <table cellspacing="0" cellpadding="0" width="200" summary="">
 | |
| <tr>
 | |
| <td>
 | |
| <em>
 | |
| ``The solution of this problem is trivial
 | |
|   and is left as an exercise for the reader.''
 | |
| </em>
 | |
| </td>
 | |
| </tr>
 | |
| <tr>
 | |
| <td align="right">
 | |
| <font size="-1">
 | |
| Standard textbook cookie
 | |
| </font>
 | |
| </td>
 | |
| </tr>
 | |
| </table>
 | |
| </div>
 | |
| 
 | |
| <p>How to solve particular security constraints for an SSL-aware webserver
 | |
| is not always obvious because of the coherences between SSL, HTTP and Apache's
 | |
| way of processing requests. This chapter gives instructions on how to solve
 | |
| such typical situations. Treat is as a first step to find out the final
 | |
| solution, but always try to understand the stuff before you use it. Nothing is
 | |
| worse than using a security solution without knowing its restrictions and
 | |
| coherences.</p>
 | |
| 
 | |
| <ul>
 | |
| <li><a href="#ToC1">Cipher Suites and Enforced Strong Security</a></li>
 | |
| <li><a href="#ToC2">SSLv2 only server</a></li>
 | |
| <li><a href="#ToC3">strong encryption only server</a></li>
 | |
| <li><a href="#ToC4">server gated cryptography</a></li>
 | |
| <li><a href="#ToC5">stronger per-directory requirements</a></li>
 | |
| <li><a href="#ToC6">Client Authentication and Access Control</a></li>
 | |
| <li><a href="#ToC7">simple certificate-based client authentication</a></li>
 | |
| <li><a href="#ToC8">selective certificate-based client authentication</a></li>
 | |
| <li><a href="#ToC9">particular certificate-based client authentication</a></li>
 | |
| <li><a href="#ToC10">intranet vs. internet authentication</a></li>
 | |
| </ul>
 | |
| 
 | |
| <h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2>
 | |
| <ul>
 | |
| <li><a name="ToC2"></a>
 | |
|     <a name="cipher-sslv2"></a>
 | |
|     <strong>
 | |
| How can I create a real SSLv2-only server?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sslv2"><b>L</b></a>]
 | |
|     <p>The following creates an SSL server which speaks only the SSLv2 protocol and
 | |
|     its ciphers.</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLProtocol -all +SSLv2
 | |
|     SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC3"></a>
 | |
|     <a name="cipher-strong"></a>
 | |
|     <strong>
 | |
| How can I create an SSL server which accepts strong encryption only?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-strong"><b>L</b></a>]
 | |
|     <p>The following enables only the seven strongest ciphers:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLProtocol all
 | |
|     SSLCipherSuite HIGH:MEDIUM
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC4"></a>
 | |
|     <a name="cipher-sgc"></a>
 | |
|     <strong>
 | |
| How can I create an SSL server which accepts strong encryption only,
 | |
| but allows export browsers to upgrade to stronger encryption?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sgc"><b>L</b></a>]
 | |
|     <p>This facility is called Server Gated Cryptography (SGC) and details you can
 | |
|     find in the <code>README.GlobalID</code> document in the mod_ssl distribution.
 | |
|     In short: The server has a Global ID server certificate, signed by a special
 | |
|     CA certificate from Verisign which enables strong encryption in export
 | |
|     browsers. This works as following: The browser connects with an export cipher,
 | |
|     the server sends its Global ID certificate, the browser verifies it and
 | |
|     subsequently upgrades the cipher suite before any HTTP communication takes
 | |
|     place. The question now is: How can we allow this upgrade, but enforce strong
 | |
|     encryption. Or in other words: Browser either have to initially connect with
 | |
|     strong encryption or have to upgrade to strong encryption, but are not allowed
 | |
|     to keep the export ciphers. The following does the trick:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     #   allow all ciphers for the inital handshake,
 | |
|     #   so export browsers can upgrade via SGC facility
 | |
|     SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 | |
|     <Directory /usr/local/apache/htdocs>
 | |
|     #   but finally deny all browsers which haven't upgraded
 | |
|     SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
 | |
|     </Directory>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC5"></a>
 | |
|     <a name="cipher-perdir"></a>
 | |
|     <strong>
 | |
| How can I create an SSL server which accepts all types of ciphers in general,
 | |
| but requires a strong ciphers for access to a particular URL?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-perdir"><b>L</b></a>]
 | |
|     <p>Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which
 | |
|     restricts the ciphers to the strong variants. But mod_ssl allows you to
 | |
|     reconfigure the cipher suite in per-directory context and automatically forces
 | |
|     a renegotiation of the SSL parameters to meet the new configuration. So, the
 | |
|     solution is:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     #   be liberal in general
 | |
|     SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 | |
|     <Location /strong/area>
 | |
|     #   but https://hostname/strong/area/ and below requires strong ciphers
 | |
|     SSLCipherSuite HIGH:MEDIUM
 | |
|     </Location>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| </ul>
 | |
| <h2><a name="ToC6">Client Authentication and Access Control</a></h2>
 | |
| <ul>
 | |
| <li><a name="ToC7"></a>
 | |
|     <a name="auth-simple"></a>
 | |
|     <strong>
 | |
| How can I authenticate clients based on certificates when I know all my
 | |
| clients?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-simple"><b>L</b></a>]
 | |
|     <p>When you know your user community (i.e. a closed user group situation), as
 | |
|     it's the case for instance in an Intranet, you can use plain certificate
 | |
|     authentication. All you have to do is to create client certificates signed by
 | |
|     your own CA certificate <code>ca.crt</code> and then verifiy the clients
 | |
|     against this certificate.</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     #   require a client certificate which has to be directly
 | |
|     #   signed by our CA certificate in ca.crt
 | |
|     SSLVerifyClient require
 | |
|     SSLVerifyDepth 1
 | |
|     SSLCACertificateFile conf/ssl.crt/ca.crt
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC8"></a>
 | |
|     <a name="auth-selective"></a>
 | |
|     <strong>
 | |
| How can I authenticate my clients for a particular URL based on certificates
 | |
| but still allow arbitrary clients to access the remaining parts of the server?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-selective"><b>L</b></a>]
 | |
|     <p>For this we again use the per-directory reconfiguration feature of mod_ssl:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLVerifyClient none
 | |
|     SSLCACertificateFile conf/ssl.crt/ca.crt
 | |
|     <Location /secure/area>
 | |
|     SSLVerifyClient require
 | |
|     SSLVerifyDepth 1
 | |
|     </Location>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC9"></a>
 | |
|     <a name="auth-particular"></a>
 | |
|     <strong>
 | |
| How can I authenticate only particular clients for a some URLs based
 | |
| on certificates but still allow arbitrary clients to access the remaining
 | |
| parts of the server?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-particular"><b>L</b></a>]
 | |
|     <p>The key is to check for various ingredients of the client certficate. Usually
 | |
|     this means to check the whole or part of the Distinguished Name (DN) of the
 | |
|     Subject. For this two methods exists: The <code>mod_auth</code> based variant
 | |
|     and the <code>SSLRequire</code> variant. The first method is good when the
 | |
|     clients are of totally different type, i.e. when their DNs have no common
 | |
|     fields (usually the organisation, etc.). In this case you've to establish a
 | |
|     password database containing <em>all</em> clients. The second method is better
 | |
|     when your clients are all part of a common hierarchy which is encoded into the
 | |
|     DN. Then you can match them more easily.</p>
 | |
|     
 | |
|     <p>The first method:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLVerifyClient      none
 | |
|     <Directory /usr/local/apache/htdocs/secure/area>
 | |
|     SSLVerifyClient      require
 | |
|     SSLVerifyDepth       5
 | |
|     SSLCACertificateFile conf/ssl.crt/ca.crt
 | |
|     SSLCACertificatePath conf/ssl.crt
 | |
|     SSLOptions           +FakeBasicAuth
 | |
|     SSLRequireSSL
 | |
|     AuthName             "Snake Oil Authentication"
 | |
|     AuthType             Basic
 | |
|     AuthUserFile         /usr/local/apache/conf/httpd.passwd
 | |
|     require              valid-user
 | |
|     </Directory>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| <br />
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.passwd</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
 | |
|     /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
 | |
|     /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| 
 | |
|     <p>The second method:</p>
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLVerifyClient      none
 | |
|     <Directory /usr/local/apache/htdocs/secure/area>
 | |
|     SSLVerifyClient      require
 | |
|     SSLVerifyDepth       5
 | |
|     SSLCACertificateFile conf/ssl.crt/ca.crt
 | |
|     SSLCACertificatePath conf/ssl.crt
 | |
|     SSLOptions           +FakeBasicAuth
 | |
|     SSLRequireSSL
 | |
|     SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." and \
 | |
|                          %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
 | |
|     </Directory>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| <li><a name="ToC10"></a>
 | |
|     <a name="auth-intranet"></a>
 | |
|     <strong> How can
 | |
| I require HTTPS with strong ciphers and either basic authentication or client
 | |
| certificates for access to a subarea on the Intranet website for clients
 | |
| coming from the Internet but still allow plain HTTP access for clients on the
 | |
| Intranet?
 | |
| </strong>  
 | |
|     [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-intranet"><b>L</b></a>]
 | |
|     <p>Let us assume the Intranet can be distinguished through the IP network
 | |
|     192.160.1.0/24 and the subarea on the Intranet website has the URL
 | |
|     <tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
 | |
|     host (so it applies to both HTTPS and HTTP):</p>
 | |
| 
 | |
|     <table border="0" cellpadding="0" cellspacing="0" summary="">
 | |
|         <tr>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
 | |
|             <td rowspan="3">  <font face="Arial,Helvetica" color="#999999">httpd.conf</font>  </td>
 | |
|             <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|             <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|              <td colspan="3" bgcolor="#ffffff">
 | |
|                  <table border="0" cellspacing="4" summary="">
 | |
|                      <tr>
 | |
|                          <td>
 | |
|     <pre>
 | |
| 
 | |
|     SSLCACertificateFile conf/ssl.crt/company-ca.crt
 | |
| 
 | |
|     <Directory /usr/local/apache/htdocs>
 | |
|     #   Outside the subarea only Intranet access is granted
 | |
|     Order                deny,allow
 | |
|     Deny                 from all
 | |
|     Allow                from 192.168.1.0/24
 | |
|     </Directory>
 | |
| 
 | |
|     <Directory /usr/local/apache/htdocs/subarea>
 | |
|     #   Inside the subarea any Intranet access is allowed
 | |
|     #   but from the Internet only HTTPS + Strong-Cipher + Password
 | |
|     #   or the alternative HTTPS + Strong-Cipher + Client-Certificate
 | |
| 
 | |
|     #   If HTTPS is used, make sure a strong cipher is used.
 | |
|     #   Additionally allow client certs as alternative to basic auth.
 | |
|     SSLVerifyClient      optional
 | |
|     SSLVerifyDepth       1
 | |
|     SSLOptions           +FakeBasicAuth +StrictRequire
 | |
|     SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
 | |
| 
 | |
|     #   Force clients from the Internet to use HTTPS
 | |
|     RewriteEngine        on
 | |
|     RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
 | |
|     RewriteCond          %{HTTPS} !=on
 | |
|     RewriteRule          .* - [F]
 | |
| 
 | |
|     #   Allow Network Access and/or Basic Auth
 | |
|     Satisfy              any
 | |
| 
 | |
|     #   Network Access Control
 | |
|     Order                deny,allow
 | |
|     Deny                 from all
 | |
|     Allow                192.168.1.0/24
 | |
| 
 | |
|     #   HTTP Basic Authentication
 | |
|     AuthType             basic
 | |
|     AuthName             "Protected Intranet Area"
 | |
|     AuthUserFile         conf/protected.passwd
 | |
|     Require              valid-user
 | |
|     </Directory>
 | |
| 
 | |
|     </pre>
 | |
|     </td>
 | |
|                      </tr>
 | |
|                  </table>
 | |
|              </td>
 | |
| 
 | |
|              <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|         <tr>
 | |
|              <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
 | |
|         </tr>
 | |
|     </table>
 | |
| </li>
 | |
| </ul>
 | |
| 
 | |
|     <!--#include virtual="footer.html" -->
 | |
|   </body>
 | |
| </html>
 |