Zobrazují se příspěvky se štítkemhttpd. Zobrazit všechny příspěvky
Zobrazují se příspěvky se štítkemhttpd. Zobrazit všechny příspěvky

pondělí 6. října 2014

... and another Apache httpd story ... client authentication of proxied requests

Centos/RHEL 6.3, apache httpd 2.2.15
The goal is - let te httpd listens at port 80 plain unencrypted HTTP requests. The request will be forwared  to https://some.site/ where there is a HTTPS with client authentication.

Findings:

Client certificate key/cert file format (directive SSLProxyMachineCertificateFile):
  • key + certificate need to be in single PEM file looking something like
    -----BEGIN RSA PRIVATE KEY-----
    MIIE...
    ...
    ...
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MII...

    ...
    .,
    ...
    -----END CERTIFICATE-----
  • mind the RSA part (emphasized above)  of private key header - some openssl versions use the header with and some without the RSA letters
  • without RSA
  • my version of apache httpd wants it there
Re-negotioation at the server side is not supported. The server should be configured to protect every request with client auth. To avoid TLS renegotiation when entering protected resource, SSLClientVerify should be configured at VirtualHost level or server level.

After above changes were made server started and operated as expected.

References:
http://apache-http-server.18135.x6.nabble.com/Apache-fails-to-start-if-SSLProxyMachineCertificateFile-does-not-contain-RSA-td5009238.html


Vystavil v
Štítky: , ,

pondělí 29. září 2014

Apache httpd 2.4.6 hangs not servicing HTTPS

A lot of pain ... till solution found
# Apparently this fixes an issue with Apache 2.4.6 on Windows hanging
# when serving requests from Internet Explorer 10/11.
# see http://stijndewitt.wordpress.com/2014/01/10/apache-hangs-ie11/
AcceptFilter http none
AcceptFilter https none


Vystavil v
Štítky: , , , , ,
Přihlásit se k odběru: Příspěvky (Atom)