Solved

One Site Multiple Certificate

Posted on 2007-11-21
9
1,433 Views
Last Modified: 2008-08-26
I have a web applicaiton which acts as a web service that allow multiple parties to connect to, to retrieve information.
The website will be SSL protected with mod_ssl.
Is there anyway to allow different clients to connect to one same site but with different certificates?

0
Comment
Question by:archerlogic
  • 3
  • 2
  • 2
9 Comments
 
LVL 9

Expert Comment

by:svs
Comment Utility
You mean server certificates?  There is a way (TLS extension - Server Name Indication) -- check out https://dave.sni.velox.ch/
0
 

Author Comment

by:archerlogic
Comment Utility
Sorry for not being clear.

For example I have a script atl https://svc.web.com/test.cgi. I will be having other multiple remote servers that will do a HTTPS POST to this script. Is it possible that these multiple remote servers use a different SSL certificate to connect to my site or do they have to use the same one?

Hope I am clear now, or am I more confusing?
0
 
LVL 9

Expert Comment

by:svs
Comment Utility
Yeah, still more confusing.  Do you need to identify these remote servers?  Then maybe you are talking about different *client* certificates?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:archerlogic
Comment Utility
yes, different client certificates but all connecting to the same site. Possible?
0
 
LVL 13

Expert Comment

by:John Mc Hale
Comment Utility
You should be able to do this with configuration directives:

SSLVerifyClient require
# optionally specify hierarchical verification  depth
#SSLVerifyDepth
# check client certificate's common name
SSLRequire (     %{SSL_CLIENT_S_DN_CN} eq "server1commonname" \
                      or %{SSL_CLIENT_S_DN_CN} eq "server2commonname" \
                      or %{SSL_CLIENT_S_DN_CN} eq "server1commonname"
)

or

SSLRequire (     %{SSL_CLIENT_S_DN_CN} eq "server1commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server2commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server3commonname"
) # etc. etc.

You can also test client connections using their ip addresses:

SSLRequire( %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$ )

... but i've never used the 2nd one


0
 

Author Comment

by:archerlogic
Comment Utility
Question, is this used for when multiple clients with different certs connect to one site?

Where do I put in the path of the cert? Would be great if you explain what these chunk does. thanks
0
 
LVL 13

Accepted Solution

by:
John Mc Hale earned 500 total points
Comment Utility
Yes,

the directive SSLVerifyClient require

just verifies that connecting clients are using SSL; i.e. that insercure connections are not accepted.

the directive SSLRequire can be used with any valid variables (much like environment variables), so...

what the SSLRequire block:

SSLRequire (     %{SSL_CLIENT_S_DN_CN} eq "server1commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server2commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server3commonname"
)

would do is to examine the common name of the certificate issued to whatever clients you wish to accept connections from, and if the value of the common name is 'server1commonname' or 'server2commonname' or 'server3commonname' then the connection is accepted. Naturally, you would change the 'serverxcommonname' to whatever the common names of each connecting client are.

Unless the connecting clients have fixed IP addresses, then relying on the %{REMOTE_ADDR} variable is unwise, as dynamically allocated ip addresses, by their nature, change.

Generally speaking, it is a bad idea to have server-wide SSL, unless your site is limited to a small amount of served pages, as performance will be affected.

So, you would normally enable SSL within a virtual host; (see code snippet).

Then you protect the directories/locations that you require SSL for, using Diectory or Location constructs in your httpd configuration file, or alternatively, on a per-directory basis in a .htaccess file;

e.g.

<Directory "C:/Apache/htdocs/private" >
SSLRequireSSL
SSLVerifyClient require
SSLRequire (     %{SSL_CLIENT_S_DN_CN} eq "server1commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server2commonname" \
                      || %{SSL_CLIENT_S_DN_CN} eq "server3commonname"
)
</Directory>



 


SSLRandomSeed startup builtin

SSLRandomSeed connect builtin
 

Listen 443

#

#   Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl
 

SSLPassPhraseDialog  builtin
 

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism 

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache         dbm:c:/Apache/logs/ssl_scache

SSLSessionCache        shmcb:c:/Apache/logs/ssl_scache(512000)

SSLSessionCacheTimeout  300
 

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization. 

SSLMutex default
 

##

## SSL Virtual Host Context

##
 

#NameVirtualHost inspiron-xpm-01:443

<VirtualHost _default_:443>
 

#   General setup for the virtual host

#DocumentRoot "C:/apache/htdocs"

#ServerName www.example.com:443

ServerAdmin you@example.com

ErrorLog C:/Apache/logs/error_ssl.log

TransferLog C:/Apache/logs/access_ssl.log
 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on
 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again.  Keep

#   in mind that if you have both an RSA and a DSA certificate you

#   can configure both in parallel (to also allow the use of DSA

#   ciphers, etc.)

SSLCertificateFile C:/myCA/certs/server.crt
 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile C:/myCA/private/server.key
 

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile c:/Apache/conf/server-ca.crt
 

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

SSLCACertificateFile C:/myCA/certs/myca.crt
 

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationFile c:/Apache/conf/ssl.crl/ca-bundle.crl

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly. 

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

BrowserMatch ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0
 

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog "C:/Apache/logs/ssl_request.log" \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 

</VirtualHost>

Open in new window

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now