Skip to Content.
Sympa Menu

cacert-sysadm - Re: mozilla updates and broken "optional" client certicate authentication (the lists.cacert.org experiment)

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: mozilla updates and broken "optional" client certicate authentication (the lists.cacert.org experiment)


Chronological Thread 
  • From: Daniel Black <daniel AT cacert.org>
  • To: cacert-sysadm AT lists.cacert.org
  • Subject: Re: mozilla updates and broken "optional" client certicate authentication (the lists.cacert.org experiment)
  • Date: Wed, 3 Mar 2010 13:10:11 +1100
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
  • Organization: CAcert

In the principle of disclosing what doesn't work is sometimes as useful as 
what does here's what I tried:

Before https://lists.cacert.org had a number of URLs with location specific ;
SSL Client directives. So:
https://lists.cacert.org/wws has a ;<Location /wws> tag with SSLVerifyClient 
Optional
https://lists.cacert.org/nocert has a ;<Location /nocert> tag with 
SSLVerifyClient none
and
https://lists.cacert.org/requirecert has a ;<Location /requirecert> tag with 
SSLVerifyClient required

Based on 
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/53fcc61b02fa8e03
I intended to just that - split it into three sites: 
https://lists.cacert.org, https://nocert.lists.cacert.org
andhttps://cert.lists.cacert.org

After getting the DNS organised (thanks Wytze) and getting a certificate with 
subjectAltNames for these 
(thanks Ted) we have a certificate of what's there now.

From there I entered the dim dark territory of SSL virtual hosting with an 
apache configuration like:

File: sympassl (Common Directives)
        ServerAdmin 
webmaster AT cacert.org
                                                                              
                     
        DocumentRoot /var/www/                                                
                                                             

        LogLevel warn
        CustomLog "|/usr/bin/logger -t apache -p local1.info" "%h %l 
%{SSL_CLIENT_S_DN}x %t \"%r\" %>s %b\"%{Referer}i\" \"%{User-agent}i\"
        ErrorLog syslog:local0                                                
                                                             

        SSLEngine on
        SSLCertificateFile 
/etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
        SSLCertificateKeyFile 
/etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem

        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!IDEA:!RC2:!RC4:@STRENGTH

        SSLCACertificatePath /usr/share/ca-certificates/cacert.org/
        SSLCADNRequestPath /usr/share/ca-certificates/cacert.org/
        SSLVerifyDepth  10
        SSLOptions +StdEnvVars +ExportCertData

        # For SYMPA
        Alias /wwsicons /usr/share/sympa/icons

        <Location /static-sympa>
                <IfModule mod_expires.c>
                    ExpiresActive On
                    ExpiresDefault "access plus 1 month"
                </IfModule>
                <IfModule mod_deflate.c>
                    SetOutputFilter DEFLATE
                </IfModule>
                FileETag MTime
        </Location>

        ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa.fcgi

$ cat sympa-lists.cacert.org
NameVirtualHost *:443
ServerTokens ProductOnly
ServerSignature Off
<VirtualHost *:443>
        ServerName lists.cacert.org
        SSLVerifyClient optional

        Include  /etc/apache2/sites-available/sympassl

        <Location /requirecert>
                RedirectMatch permanent /requirecert/(.*)$ 
https://cert.lists.cacert.org/wws/$1
        </Location>

        <Location /nocert>
                RedirectMatch permanent /nocert/(.*)$ 
https://nocert.lists.cacert.org/wws/$1
        </Location>

</VirtualHost>

$  cat sympa-nocert.lists.cacert.org
<VirtualHost *:443>
        ServerName lists.cacert.org
        SSLVerifyClient none

        Include  /etc/apache2/sites-available/sympassl

        <Location /requirecert>
                RedirectMatch permanent /requirecert/(.*)$ 
https://cert.lists.cacert.org/wws/$1
        </Location>

</VirtualHost>

$ cat sympa-cert.lists.cacert.org
<VirtualHost *:443>
        ServerName cert.lists.cacert.org
        SSLVerifyClient require

        Include  /etc/apache2/sites-available/sympassl

        <Location /nocert>
                RedirectMatch permanent /nocert/(.*)$ 
https://nocert.lists.cacert.org/wws/$1
        </Location>

</VirtualHost>

What seems to happen is apache picks up the strongest of the SSLVerifyClient 
criteria (require)
 and applies to the whole tree sites.

This was with Apache version as packaged by Debian 2.2.3-4+etch11

Concluding:

Site specific SSL virtual hosting is not going to solve this  problem. Apache 
negotiation doesn't 
recognise the virtual host specific requirements with regard to client 
certificate verification. 
What would probably work is if these three were on different IP addresses.

Also likely to work is a SNI enabled version of Apache (which is next on the 
TODO list).

Or I might try lighttpd which got SNI in 1.4.24 
(http://redmine.lighttpd.net/versions/show/20)
and does optional authentication 
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL ;
(if it exports all the right variables that Sympa expects which I have some 
doubt on)

Note: For the time being lists.cacert.org is client certificate only

-- 
Daniel Black
Infrastructure Administrator
CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.16.

Top of Page