SSL Certificate authentication with Apache2

Hello Experts!

I'm hoping someone could help me with this question...

I am running an Apache 2.4.7 server on my Ubuntu 14.04 box with some public facing sites. For some of those sites I've implemented a Client Cert Authentication using self signed certs. I am trying to change my configuration such that when a client connects to the site while on the same network as server, bypass the authentication altogether.

Here's the snippet of my config file:
    SSLEngine On

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateFile /etc/ssl/ca/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/ca/private/server.key
    SSLCACertificateFile /etc/ssl/ca/certs/serverCA.crt
    SSLVerifyClient require

    SSLProxyEngine Off

    ProxyRequests Off

Open in new window


I have tried modifying this configuration by moving SSLVerifyClient require into a Location block like so:
<Location />
  Order deny,allow
  Deny from all

  Allow from 192.168.1.0/24
  SSLVerifyClient require

  Satisfy any
</Location>

Open in new window

Unfortunately, that did not work and I would still be either prompted for the cert or my site would be freely available from the internet.

Thank you very much for your help
LVL 7
dimajAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Client Cert Authentication using self signed certs Never going to work with self signed certs. Anyone can generate a self signed certificate.. you have nothing to authenticate against..  There is NO trusted 3rd party.  You need a Certificate Authority.
0
dimajAuthor Commented:
Thanks for the response, David!

I have my own CA. There are a bunch of guides online which tell you step by step how to generate the entire certificate chain and how to export the cert to be imported by the client.

The snippet above works perfectly well. When I go to my site, I am prompted for the certificate which I have imported into my keychain. If I do not have a certificate that matches site's requirements, I'm given an error saying that could not negotiate ssl something rather.
Once I provide my cert via the browser, then I'm treated with the "unsafe page" warning and I have to manually say that I do trust that client.
0
David Johnson, CD, MVPOwnerCommented:
You need the root certificate public key to be in your trusted root provider area of your keychain.  if you are using a local CA then these are not self-signed certificates.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dimajAuthor Commented:
I assumed if I create all the certs myself, they're self-signed...

But that aside, any ideas on how to configure apache to avoid asking clients for a cert when on the same network as the apache server?
0
David Johnson, CD, MVPOwnerCommented:
AFAIK you can't do it that way. You either require a cert or you don't.  You can only allow certain IP addresses though.
0
dimajAuthor Commented:
I'm assuming that's still part of Apache's configuration, right?

If so, I'll need to replace Allow from 192.168.1.0/24 with specific addresses?
0
David Johnson, CD, MVPOwnerCommented:
you will need mod_authz_host
in your htaccess
ordering deny allow
deny from all

and then use one of the following

allow from 192.168.1
allow from 192.168.1.0/255.255.255.0
allow from 192.168.1.0/24

the most permissive wins
0
dimajAuthor Commented:
I think I found the solution... Here's how I configured my apache:
<VirtualHost *:443>
    SSLEngine On

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateFile /etc/ssl/ca/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/ca/private/server.key
    SSLCACertificateFile /etc/ssl/ca/certs/serverCA.crt
    SSLVerifyClient optional

    SSLProxyEngine Off

    ProxyRequests Off

    <Location />
        Order deny,allow
        Deny from all

        Satisfy any
        Allow from 192.168.1.0/24

        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteCond %{REMOTE_ADDR} !^192.168.1.[0-9]*$
        RewriteRule   ^  -  [F]
    <Location />
</VirtualHost>

Open in new window


This solution will still prompt me for a certificate if I have one in my keychain, but if I don't it will let me right in (as long as I am on the same network)

Thanks for your help!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dimajAuthor Commented:
This solution accomplishes exactly what I was looking for. Bypass certificate authentication while on the same network as the server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.