http://wiki.egee-see.org/index.php/Simple_Apache-SSL_integration_and_DN-based_authentication
Describe valid client DN list in text file
- The resource can be reached only by specified client’s DNs
The list of client’s DNs can be put in any file and in this example /etc/httpd/see-grid.users is used. This is the example of file contents
/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Neda Svraka:xxj31ZMTZzkVA
/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Branimir Ackovic:xxj31ZMTZzkVA
/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz:xxj31ZMTZzkVA
/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Dusan Vudragovic:xxj31ZMTZzkVA
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
AuthName "SEE-GRID Authentication"
AuthType Basic
AuthUserFile /etc/httpd/see-grid.users
require valid-user
IIS
http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication
Describe valid client base64 encoded certificate in XML file
Tomcat
http://www.chesterproductions.net.nz/blogs/it/code/configuring-client-certificate-authentication-with-tomcat-and-java/537/
Put valid client certificate to server side key store
Nginx
http://blog.nategood.com/client-side-certificate-authentication-in-ngi
Write validator by yourself
Configuring nginx
server {
listen 443;
ssl on;
server_name example.com;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client optional;
location / {
root /var/www/example.com/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
First, we pass in the
$ssl_client_verify variable as theVERIFIED parameter. This is useful when we are allowing authenticated and unauthenticated requests. When the client certificate was able to be verified against our CA cert, this will have the value of SUCCESS. Otherwise, the value will be NONE.
Second, you'll notice we pass the
$ssl_client_s_dn variable to theDN parameter. This will provide "the line subject DN of client certificate for established SSL-connection". The Common Name part of this certificate may be of most interest for you. Here is an example value for DN.../C=US/ST=Florida/L=Orlando/O=CLIENT NAME/CN=CLIENT NAME
Nginx also provides the option to pass in the entire client certificate via
$ssl_client_cert or $ssl_client_cert_raw. For more details on the SSL options available to you in nginx, checkout the Nginx Http SSL Module Wiki.http://redmine.lighttpd.net/boards/2/topics/3684
Write validator by yourself
I had client side SSL working a few months ago, though now it's broken for me and I can't get it to work. Would be grateful if you could share your notes.
To get the SSL_CLIENT_S_DN_CN passed through to my applications, I had the following config:
$SERVER["socket"] == "192.168.1.65:8443" {
ssl.engine = "enable",
ssl.pemfile = "/path/to/cert.pem",
ssl.ca-file = "/path/to/crtchain.crt",
ssl.verifyclient.activate = "enable",
ssl.verifyclient.enforce = "enable",
ssl.verifyclient.depth = 2,
ssl.verifyclient.exportcert = "enable",
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
}
ssl.engine = "enable",
ssl.pemfile = "/path/to/cert.pem",
ssl.ca-file = "/path/to/crtchain.crt",
ssl.verifyclient.activate = "enable",
ssl.verifyclient.enforce = "enable",
ssl.verifyclient.depth = 2,
ssl.verifyclient.exportcert = "enable",
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
}
Then in my application I could fetch the SSL_CLIENT_S_DN_CN by querying the request environment variables, eg:
request.env['REMOTE_USER']
沒有留言:
張貼留言