i want to configure Apache so that it receives a client certificate, an passes it to another server. I'm using:
I tried this config:
<VirtualHost *:443>
ServerName apacheserver.domain.com
SSLEngine on
SSLProxyEngine on
SSLCertificateFile "e:/Apache/Apache2/conf/server.cer"
SSLCertificateKeyFile "e:/Apache/Apache2/conf/server.key"
SSLCACertificateFile "e:/Apache/Apache2/conf/certca.cer"
SSLVerifyClient require
SSLVerifyDepth 2
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
<Directory />
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
ProxyPass https://192.168.10.191/
ProxyPassReverse https://192.168.10.191/
</Directory>
</VirtualHost>
when i try this config, i have this error on the error.log file of apache:
[Tue Dec 31 12:14:52 2013] [warn] Proxy client certificate callback: (apacheserver.domain.com:443) downstream server wanted client certificate but none are configured
any ideas?
The client certificate is sent during the TLS handshake when establishing a connection and can't be sent via HTTP within that connection. The communication is layered like this: HTTP (application-layer protocol) within. TLS (presentation-layer protocol) within.
The client certificate is used in the SSL connection to verify the identity of the user. The verification is done with public key cryptography, e.g. the client signs something with its private key and the signature can be verified with the public key. And because the private key is only known to the client but the public key to everybody (it is included in the certificate), only the client can sign but everybody can verify the signature and thus it is proven that the signed text comes from the client.
If you use the apache as a proxy which requests a client certificate it will receive the certificate which contains the client public key and it will be able to verify the signature of the client. But it has no access to the clients private key and thus it will not be able to create another https connection with the clients original certificate. All it can do is to verify the clients certificate and then forward the important information as HTTP headers to the upstream server.
It looks like you attempt to put the information from the clients certificate inside HTTP header, but that your upstream server requires more, e.g. it requires the clients certificate which you cannot offer (error message: "..downstream server wanted client certificate.."). Therefore you need to change the upstream server, so that it accepts connection without client certificate and reads the authorization information from the HTTP-Headers you've inserted in the proxy.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With