pondělí 6. října 2014

... and another Apache httpd story ... client authentication of proxied requests

Centos/RHEL 6.3, apache httpd 2.2.15
The goal is - let te httpd listens at port 80 plain unencrypted HTTP requests. The request will be forwared  to https://some.site/ where there is a HTTPS with client authentication.

Findings:

Client certificate key/cert file format (directive SSLProxyMachineCertificateFile):
  • key + certificate need to be in single PEM file looking something like
    -----BEGIN RSA PRIVATE KEY-----
    MIIE...
    ...
    ...
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MII...

    ...
    .,
    ...
    -----END CERTIFICATE-----
  • mind the RSA part (emphasized above)  of private key header - some openssl versions use the header with and some without the RSA letters
  • without RSA
  • my version of apache httpd wants it there
Re-negotioation at the server side is not supported. The server should be configured to protect every request with client auth. To avoid TLS renegotiation when entering protected resource, SSLClientVerify should be configured at VirtualHost level or server level.

After above changes were made server started and operated as expected.

References:
http://apache-http-server.18135.x6.nabble.com/Apache-fails-to-start-if-SSLProxyMachineCertificateFile-does-not-contain-RSA-td5009238.html


Vystavil v
Štítky: , ,
Přihlásit se k odběru: Příspěvky (Atom)