2N/A<?
xml version="1.0" encoding="ISO-8859-1"?>
2N/A XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2N/A This file is generated from xml source: DO NOT EDIT 2N/A XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2N/A<
p>The solution of this problem is trivial
2N/Aand is left as an exercise for the reader.</
p>
2N/A<
p class="cite">-- <
cite>Standard textbook cookie</
cite></
p>
2N/A<
p>How to solve particular security constraints for an SSL-aware
2N/Awebserver is not always obvious because of the coherences between SSL,
2N/AHTTP and Apache's way of processing requests. This chapter gives
2N/Ainstructions on how to solve such typical situations. Treat is as a first
2N/Astep to find out the final solution, but always try to understand the
2N/Astuff before you use it. Nothing is worse than using a security solution
2N/Awithout knowing its restrictions and coherences.</
p>
2N/A</
div><
div id="quickview"><
ul id="toc"><
li><
img alt="" src="/images/down.gif" /> <
a href="#ciphersuites">Cipher Suites and Enforced Strong Security</
a></
li><
li><
img alt="" src="/images/down.gif" /> <
a href="#accesscontrol">Client Authentication and Access Control</
a></
li></
ul></
div><
div class="top"><
a href="#page-header"><
img alt="top" src="/images/up.gif" /></
a></
div><
div class="section"><
h2><
a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforced Strong Security</
a></
h2>
2N/A<
li><
a href="#realssl">SSLv2 only server</
a></
li>
2N/A<
li><
a href="#onlystrong">strong encryption only server</
a></
li>
2N/A<
li><
a href="#upgradeenc">server gated cryptography</
a></
li>
2N/A<
li><
a href="#strongurl">stronger per-directory requirements</
a></
li>
2N/A<
h3><
a name="realssl" id="realssl">How can I create a real SSLv2-only server?</
a></
h3>
2N/A <
p>The following creates an SSL server which speaks only the SSLv2 protocol and
2N/A SSLProtocol -all +SSLv2<
br />
2N/A SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<
br />
2N/A<
h3><
a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption
2N/A <
p>The following enables only the seven strongest ciphers:</
p>
2N/A SSLProtocol all<
br />
2N/A SSLCipherSuite HIGH:MEDIUM<
br />
2N/A<
h3><
a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption
2N/Aonly, but allows export browsers to upgrade to stronger encryption?</
a></
h3>
2N/A <
p>This facility is called Server Gated Cryptography (SGC) and details
2N/A mod_ssl distribution. In short: The server has a Global ID server
2N/A certificate, signed by a special CA certificate from Verisign which
2N/A enables strong encryption in export browsers. This works as following:
2N/A The browser connects with an export cipher, the server sends its Global
2N/A ID certificate, the browser verifies it and subsequently upgrades the
2N/A cipher suite before any HTTP communication takes place. The question
2N/A now is: How can we allow this upgrade, but enforce strong encryption.
2N/A Or in other words: Browser either have to initially connect with
2N/A strong encryption or have to upgrade to strong encryption, but are
2N/A not allowed to keep the export ciphers. The following does the trick:</
p>
2N/A # allow all ciphers for the inital handshake,<
br />
2N/A # so export browsers can upgrade via SGC facility<
br />
2N/A SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<
br />
2N/A # but finally deny all browsers which haven't upgraded<
br />
2N/A SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128<
br />
2N/A<
h3><
a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers
2N/Ain general, but requires a strong ciphers for access to a particular
2N/A <
p>Obviously you cannot just use a server-wide <
code class="directive"><
a href="/mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</
a></
code> which restricts the
2N/A ciphers to the strong variants. But mod_ssl allows you to reconfigure
2N/A the cipher suite in per-directory context and automatically forces
2N/A a renegotiation of the SSL parameters to meet the new configuration.
2N/A So, the solution is:</
p>
2N/A <
div class="example"><
p><
code>
2N/A # be liberal in general<
br />
2N/A SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<
br />
2N/A # requires strong ciphers<
br />
2N/A SSLCipherSuite HIGH:MEDIUM<
br />
2N/A</
div><
div class="top"><
a href="#page-header"><
img alt="top" src="/images/up.gif" /></
a></
div><
div class="section"><
h2><
a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</
a></
h2>
2N/A<
li><
a href="#allclients">simple certificate-based client authentication</
a></
li>
2N/A<
li><
a href="#arbitraryclients">selective certificate-based client authentication</
a></
li>
2N/A<
li><
a href="#certauthenticate">particular certificate-based client authentication</
a></
li>
2N/A<
li><
a href="#intranet">intranet vs. internet authentication</
a></
li>
2N/A<
h3><
a name="allclients" id="allclients">How can I authenticate clients based on certificates when I know
2N/Aall my clients?</
a></
h3>
2N/A <
p>When you know your user community (
i.e. a closed user group
2N/A situation), as it's the case for instance in an Intranet, you can
2N/A use plain certificate authentication. All you have to do is to
2N/A create client certificates signed by your own CA certificate
2N/A <
code>
ca.crt</
code> and then verifiy the clients against this
2N/A # require a client certificate which has to be directly<
br />
2N/A # signed by our CA certificate in
ca.crt<
br />
2N/A SSLVerifyClient require<
br />
2N/A SSLVerifyDepth 1<
br />
2N/A<
h3><
a name="arbitraryclients" id="arbitraryclients">How can I authenticate my clients for a particular URL based on
2N/Acertificates but still allow arbitrary clients to access the remaining
2N/Aparts of the server?</
a></
h3>
2N/A <
p>For this we again use the per-directory reconfiguration feature
2N/A SSLVerifyClient none<
br />
2N/A SSLVerifyClient require<
br />
2N/A SSLVerifyDepth 1<
br />
2N/A </Location><
br />
2N/A<
h3><
a name="certauthenticate" id="certauthenticate">How can I authenticate only particular clients for a some URLs based
2N/Aon certificates but still allow arbitrary clients to access the remaining
2N/Aparts of the server?</
a></
h3>
2N/A <
p>The key is to check for various ingredients of the client certficate.
2N/A Usually this means to check the whole or part of the Distinguished
2N/A Name (DN) of the Subject. For this two methods exists: The <
code class="module"><
a href="/mod/mod_auth.html">mod_auth</
a></
code> based variant and the <
code class="directive"><
a href="/mod/mod_ssl.html#sslrequire">SSLRequire</
a></
code> variant. The first method is good when the
2N/A clients are of totally different type,
i.e. when their DNs have no
2N/A common fields (usually the organisation, etc.). In this case you've
2N/A to establish a password database containing <
em>all</
em> clients. The
2N/A second method is better when your clients are all part of a common
2N/A hierarchy which is encoded into the DN. Then you can match them more
2N/A <
p>The first method:</
p>
2N/ASSLVerifyClient require
2N/ASSLOptions +FakeBasicAuth
2N/AAuthName "Snake Oil Authentication"
2N/A</Directory></
pre></
div>
2N/A <
p>The second method:</
p>
2N/A SSLVerifyClient require
2N/A SSLOptions +FakeBasicAuth
2N/A SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
2N/A and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
2N/A</Directory></
pre></
div>
2N/A<
h3><
a name="intranet" id="intranet">How can I require HTTPS with strong ciphers and either basic
2N/Aauthentication or client certificates for access to a subarea on the
2N/AIntranet website for clients coming from the Internet but still allow
2N/Aplain HTTP access for clients on the Intranet?</
a></
h3>
2N/A <
p>Let us assume the Intranet can be distinguished through the IP
2N/A the URL <
code>/subarea</
code>. Then configure the following outside
2N/A your HTTPS virtual host (so it applies to both HTTPS and HTTP):</
p>
2N/A# Outside the subarea only Intranet access is granted
2N/A# Inside the subarea any Intranet access is allowed
2N/A# but from the Internet only HTTPS + Strong-Cipher + Password
2N/A# or the alternative HTTPS + Strong-Cipher + Client-Certificate
2N/A# If HTTPS is used, make sure a strong cipher is used.
2N/A# Additionally allow client certs as alternative to basic auth.
2N/ASSLVerifyClient optional
2N/ASSLOptions +FakeBasicAuth +StrictRequire
2N/ASSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
2N/A# Force clients from the Internet to use HTTPS
2N/ARewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
2N/ARewriteCond %{HTTPS} !=on
2N/A# Network Access Control
2N/A# HTTP Basic Authentication
2N/AAuthName "Protected Intranet Area"
2N/A</Directory></
pre></
div>