ssl_howto.html revision bcb3a46ccb6553019068f7bb2a7ac8548a3f72cf
0N/A<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
0N/A "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
0N/A
0N/A<html xmlns="http://www.w3.org/1999/xhtml">
0N/A <head>
0N/A<title>Apache SSL/TLS Encryption: How-To</title>
0N/A<style type="text/css"><!--
0N/A#H {
0N/A}
0N/A#D {
0N/A background-color: #f0f0f0;
0N/A}
0N/A--></style>
0N/A</head>
0N/A
0N/A<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
0N/A<!--#include virtual="header.html" -->
0N/A
873N/A<h1 align="CENTER">SSL/TLS Strong Encryption: How-To</h1>
0N/A
0N/A
0N/A<div align="right">
0N/A<table cellspacing="0" cellpadding="0" width="200" summary="">
0N/A<tr>
733N/A<td>
0N/A<em>
0N/A``The solution of this problem is trivial
0N/A and is left as an exercise for the reader.''
0N/A</em>
0N/A</td>
0N/A</tr>
0N/A<tr>
0N/A<td align="right">
0N/A<font size="-1">
0N/AStandard textbook cookie
0N/A</font>
0N/A</td>
0N/A</tr>
1155N/A</table>
0N/A</div>
0N/A
0N/A<p>
0N/AHow to solve particular security constraints for an SSL-aware webserver
0N/Ais not always obvious because of the coherences between SSL, HTTP and Apache's
0N/Away of processing requests. This chapter gives instructions on how to solve
0N/Asuch typical situations. Treat is as a first step to find out the final
1155N/Asolution, but always try to understand the stuff before you use it. Nothing is
0N/Aworse than using a security solution without knowing it's restrictions and
1155N/Acoherences.
0N/A
611N/A<ul>
1155N/A<li><a href="#ToC1">Cipher Suites and Enforced Strong Security</a></li>
0N/A<li><a href="#ToC2">SSLv2 only server</a></li>
0N/A<li><a href="#ToC3">strong encryption only server</a></li>
879N/A<li><a href="#ToC4">server gated cryptography</a></li>
868N/A<li><a href="#ToC5">stronger per-directory requirements</a></li>
1155N/A<li><a href="#ToC6">Client Authentication and Access Control</a></li>
1211N/A<li><a href="#ToC7">simple certificate-based client authentication</a></li>
1155N/A<li><a href="#ToC8">selective certificate-based client authentication</a></li>
1155N/A<li><a href="#ToC9">particular certificate-based client authentication</a></li>
1155N/A<li><a href="#ToC10">intranet vs. internet authentication</a></li>
0N/A</ul>
0N/A
0N/A<h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2>
0N/A<ul>
0N/A<p>
1155N/A<li><a name="ToC2"></a>
1155N/A <a name="cipher-sslv2"></a>
1155N/A <strong id="howto">
0N/AHow can I create a real SSLv2-only server?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sslv2"><b>L</b></a>]
0N/A <p>
0N/AThe following creates an SSL server which speaks only the SSLv2 protocol and
0N/Aits ciphers.
1155N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
349N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
202N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
349N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/ASSLProtocol -all +SSLv2
0N/ASSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
0N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
1211N/A </tr>
1224N/A</table>
0N/A<p>
0N/A<li><a name="ToC3"></a>
0N/A <a name="cipher-strong"></a>
0N/A <strong id="howto">
0N/AHow can I create an SSL server which accepts strong encryption only?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-strong"><b>L</b></a>]
0N/A <p>
0N/AThe following enables only the seven strongest ciphers:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/ASSLProtocol all
0N/ASSLCipherSuite HIGH:MEDIUM
0N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A<p>
0N/A<li><a name="ToC4"></a>
0N/A <a name="cipher-sgc"></a>
0N/A <strong id="howto">
0N/AHow can I create an SSL server which accepts strong encryption only,
0N/Abut allows export browsers to upgrade to stronger encryption?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sgc"><b>L</b></a>]
0N/A <p>
0N/AThis facility is called Server Gated Cryptography (SGC) and details you can
0N/Afind in the <code>README.GlobalID</code> document in the mod_ssl distribution.
0N/AIn short: The server has a Global ID server certificate, signed by a special
0N/ACA certificate from Verisign which enables strong encryption in export
0N/Abrowsers. This works as following: The browser connects with an export cipher,
868N/Athe server sends it's Global ID certificate, the browser verifies it and
868N/Asubsequently upgrades the cipher suite before any HTTP communication takes
879N/Aplace. The question now is: How can we allow this upgrade, but enforce strong
868N/Aencryption. Or in other words: Browser either have to initially connect with
0N/Astrong encryption or have to upgrade to strong encryption, but are not allowed
0N/Ato keep the export ciphers. The following does the trick:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/A# allow all ciphers for the inital handshake,
0N/A# so export browsers can upgrade via SGC facility
0N/ASSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
0N/A&lt;Directory /usr/local/apache/htdocs&gt;
0N/A# but finally deny all browsers which haven't upgraded
0N/ASSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
0N/A&lt;/Directory&gt;
1155N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
1155N/A </td>
1155N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
1155N/A </tr>
0N/A</table>
0N/A<p>
0N/A<li><a name="ToC5"></a>
0N/A <a name="cipher-perdir"></a>
349N/A <strong id="howto">
349N/AHow can I create an SSL server which accepts all types of ciphers in general,
0N/Abut requires a strong ciphers for access to a particular URL?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-perdir"><b>L</b></a>]
868N/A <p>
868N/AObviously you cannot just use a server-wide <code>SSLCipherSuite</code> which
879N/Arestricts the ciphers to the strong variants. But mod_ssl allows you to
868N/Areconfigure the cipher suite in per-directory context and automatically forces
0N/Aa renegotiation of the SSL parameters to meet the new configuration. So, the
0N/Asolution is:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
349N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
349N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
349N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
349N/A </tr>
349N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A </tr>
879N/A <tr>
868N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
349N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
349N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
349N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
349N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
349N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
518N/A <td>
0N/A<pre>
518N/A
518N/A# be liberal in general
518N/ASSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
518N/A&lt;Location /strong/area&gt;
518N/A# but https://hostname/strong/area/ and below requires strong ciphers
0N/ASSLCipherSuite HIGH:MEDIUM
518N/A&lt;/Location&gt;
518N/A
868N/A</pre>
868N/A</td>
879N/A </tr>
868N/A </table>
518N/A </td>
518N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
518N/A </tr>
518N/A <tr>
518N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
1227N/A</table>
1227N/A</ul>
1227N/A<h2><a name="ToC6">Client Authentication and Access Control</a></h2>
1227N/A<ul>
1227N/A<p>
1227N/A<li><a name="ToC7"></a>
1227N/A <a name="auth-simple"></a>
1227N/A <strong id="howto">
1227N/AHow can I authenticate clients based on certificates when I know all my
1227N/Aclients?
1227N/A</strong>&nbsp;&nbsp;
1227N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-simple"><b>L</b></a>]
1227N/A <p>
1227N/AWhen you know your user community (i.e. a closed user group situation), as
1227N/Ait's the case for instance in an Intranet, you can use plain certificate
1227N/Aauthentication. All you have to do is to create client certificates signed by
1227N/Ayour own CA certificate <code>ca.crt</code> and then verifiy the clients
1227N/Aagainst this certificate.
1227N/A<p>
1227N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
1227N/A <tr>
1227N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
1227N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
1227N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
1227N/A </tr>
1227N/A <tr>
1155N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
1155N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
1155N/A </tr>
1155N/A <tr>
1155N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/A# require a client certificate which has to be directly
1155N/A# signed by our CA certificate in ca.crt
1155N/ASSLVerifyClient require
1155N/ASSLVerifyDepth 1
1155N/ASSLCACertificateFile conf/ssl.crt/ca.crt
0N/A
1155N/A</pre>
349N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
611N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
611N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A </tr>
868N/A</table>
879N/A<p>
868N/A<li><a name="ToC8"></a>
0N/A <a name="auth-selective"></a>
0N/A <strong id="howto">
0N/AHow can I authenticate my clients for a particular URL based on certificates
0N/Abut still allow arbitrary clients to access the remaining parts of the server?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-selective"><b>L</b></a>]
0N/A <p>
0N/AFor this we again use the per-directory reconfiguration feature of mod_ssl:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
349N/A <tr>
1094N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
868N/A </tr>
868N/A <tr>
879N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/ASSLVerifyClient none
0N/ASSLCACertificateFile conf/ssl.crt/ca.crt
0N/A&lt;Location /secure/area&gt;
0N/ASSLVerifyClient require
0N/ASSLVerifyDepth 1
0N/A&lt;/Location&gt;
0N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A<p>
0N/A<li><a name="ToC9"></a>
0N/A <a name="auth-particular"></a>
0N/A <strong id="howto">
0N/AHow can I authenticate only particular clients for a some URLs based
0N/Aon certificates but still allow arbitrary clients to access the remaining
0N/Aparts of the server?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-particular"><b>L</b></a>]
0N/A <p>
0N/AThe key is to check for various ingredients of the client certficate. Usually
0N/Athis means to check the whole or part of the Distinguished Name (DN) of the
0N/ASubject. For this two methods exists: The <code>mod_auth</code> based variant
0N/Aand the <code>SSLRequire</code> variant. The first method is good when the
0N/Aclients are of totally different type, i.e. when their DNs have no common
0N/Afields (usually the organisation, etc.). In this case you've to establish a
0N/Apassword database containing <em>all</em> clients. The second method is better
0N/Awhen your clients are all part of a common hierarchy which is encoded into the
0N/ADN. Then you can match them more easily.
0N/A<p>
0N/AThe first method:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/ASSLVerifyClient none
0N/A&lt;Directory /usr/local/apache/htdocs/secure/area&gt;
0N/ASSLVerifyClient require
0N/ASSLVerifyDepth 5
0N/ASSLCACertificateFile conf/ssl.crt/ca.crt
0N/ASSLCACertificatePath conf/ssl.crt
0N/ASSLOptions +FakeBasicAuth
0N/ASSLRequireSSL
0N/AAuthName "Snake Oil Authentication"
0N/AAuthType Basic
0N/AAuthUserFile /usr/local/apache/conf/httpd.passwd
0N/Arequire valid-user
0N/A&lt;/Directory&gt;
0N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.passwd</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/A/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
698N/A/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
0N/A/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
0N/A
0N/A</pre>
0N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A<p>
0N/AThe second method:
0N/A<p>
0N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
617N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
617N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
617N/A </tr>
617N/A <tr>
617N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
617N/A <td colspan="3" bgcolor="#ffffff">
617N/A <table border="0" cellspacing="4" summary="">
617N/A <tr>
617N/A <td>
617N/A<pre>
617N/A
617N/ASSLVerifyClient none
868N/A&lt;Directory /usr/local/apache/htdocs/secure/area&gt;
868N/ASSLVerifyClient require
879N/ASSLVerifyDepth 5
868N/ASSLCACertificateFile conf/ssl.crt/ca.crt
617N/ASSLCACertificatePath conf/ssl.crt
617N/ASSLOptions +FakeBasicAuth
617N/ASSLRequireSSL
617N/ASSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
617N/A %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
617N/A&lt;/Directory&gt;
617N/A
617N/A</pre>
617N/A</td>
0N/A </tr>
0N/A </table>
0N/A </td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A<p>
0N/A<li><a name="ToC10"></a>
0N/A <a name="auth-intranet"></a>
0N/A <strong id="howto"> How can
0N/AI require HTTPS with strong ciphers and either basic authentication or client
349N/Acertificates for access to a subarea on the Intranet website for clients
0N/Acoming from the Internet but still allow plain HTTP access for clients on the
0N/AIntranet?
0N/A</strong>&nbsp;&nbsp;
0N/A [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-intranet"><b>L</b></a>]
0N/A <p>
0N/ALet us assume the Intranet can be distinguished through the IP network
0N/A192.160.1.0/24 and the subarea on the Intranet website has the URL
868N/A<tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
868N/Ahost (so it applies to both HTTPS and HTTP):
879N/A<p>
868N/A<table border="0" cellpadding="0" cellspacing="0" summary="">
0N/A <tr>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
0N/A <td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
0N/A <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
868N/A </tr>
879N/A <tr>
868N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A <td colspan="3" bgcolor="#ffffff">
0N/A <table border="0" cellspacing="4" summary="">
0N/A <tr>
0N/A <td>
0N/A<pre>
0N/A
0N/ASSLCACertificateFile conf/ssl.crt/company-ca.crt
0N/A
0N/A&lt;Directory /usr/local/apache/htdocs&gt;
0N/A# Outside the subarea only Intranet access is granted
0N/AOrder deny,allow
0N/ADeny from all
0N/AAllow from 192.168.1.0/24
0N/A&lt;/Directory&gt;
0N/A
0N/A&lt;Directory /usr/local/apache/htdocs/subarea&gt;
0N/A# Inside the subarea any Intranet access is allowed
0N/A# but from the Internet only HTTPS + Strong-Cipher + Password
0N/A# or the alternative HTTPS + Strong-Cipher + Client-Certificate
0N/A
0N/A# If HTTPS is used, make sure a strong cipher is used.
0N/A# Additionally allow client certs as alternative to basic auth.
0N/ASSLVerifyClient optional
0N/ASSLVerifyDepth 1
0N/ASSLOptions +FakeBasicAuth +StrictRequire
0N/ASSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
0N/A
0N/A# Force clients from the Internet to use HTTPS
349N/ARewriteEngine on
0N/ARewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
0N/ARewriteCond %{HTTPS} !=on
0N/ARewriteRule .* - [F]
0N/A
0N/A# Allow Network Access and/or Basic Auth
0N/ASatisfy any
0N/A
868N/A# Network Access Control
868N/AOrder deny,allow
879N/ADeny from all
868N/AAllow 192.168.1.0/24
0N/A
0N/A# HTTP Basic Authentication
0N/AAuthType basic
0N/AAuthName "Protected Intranet Area"
0N/AAuthUserFile conf/protected.passwd
0N/ARequire valid-user
0N/A&lt;/Directory&gt;
868N/A
868N/A</pre>
879N/A</td>
868N/A </tr>
0N/A </table>
0N/A </td>
0N/A
0N/A <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A <tr>
0N/A <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
0N/A </tr>
0N/A</table>
0N/A</ul>
0N/A
0N/A<p><!--#include virtual="footer.html" --> </p>
0N/A </body>
0N/A</html>