Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure Apache to send SSL Client certificate to backend server

i want to configure Apache so that it receives a client certificate, an passes it to another server. I'm using:

  • apache 2.0.65 on windows
  • the backend server is an apache-based solution (IBM HTTP Server)

I tried this config:

<VirtualHost *:443>
ServerName apacheserver.domain.com
SSLEngine on
SSLProxyEngine on
SSLCertificateFile "e:/Apache/Apache2/conf/server.cer"
SSLCertificateKeyFile "e:/Apache/Apache2/conf/server.key"
SSLCACertificateFile  "e:/Apache/Apache2/conf/certca.cer"
SSLVerifyClient require
SSLVerifyDepth 2
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
  AddDefaultCharset Off
  Order deny,allow
  Allow from all
</Proxy>
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN    ""
RequestHeader set SSL_CLIENT_I_DN    ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY  ""
<Directory />
  # add all the SSL_* you need in the internal web application
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
  RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
  ProxyPass  https://192.168.10.191/
  ProxyPassReverse  https://192.168.10.191/
</Directory>
</VirtualHost>

when i try this config, i have this error on the error.log file of apache:

[Tue Dec 31 12:14:52 2013] [warn] Proxy client certificate callback: (apacheserver.domain.com:443) downstream server wanted client certificate but none are configured

any ideas?

like image 435
user3146966 Avatar asked Dec 31 '13 12:12

user3146966


People also ask

How do I send a client certificate in HTTP request?

The client certificate is sent during the TLS handshake when establishing a connection and can't be sent via HTTP within that connection. The communication is layered like this: HTTP (application-layer protocol) within. TLS (presentation-layer protocol) within.


1 Answers

The client certificate is used in the SSL connection to verify the identity of the user. The verification is done with public key cryptography, e.g. the client signs something with its private key and the signature can be verified with the public key. And because the private key is only known to the client but the public key to everybody (it is included in the certificate), only the client can sign but everybody can verify the signature and thus it is proven that the signed text comes from the client.

If you use the apache as a proxy which requests a client certificate it will receive the certificate which contains the client public key and it will be able to verify the signature of the client. But it has no access to the clients private key and thus it will not be able to create another https connection with the clients original certificate. All it can do is to verify the clients certificate and then forward the important information as HTTP headers to the upstream server.

It looks like you attempt to put the information from the clients certificate inside HTTP header, but that your upstream server requires more, e.g. it requires the clients certificate which you cannot offer (error message: "..downstream server wanted client certificate.."). Therefore you need to change the upstream server, so that it accepts connection without client certificate and reads the authorization information from the HTTP-Headers you've inserted in the proxy.

like image 124
Steffen Ullrich Avatar answered Sep 19 '22 14:09

Steffen Ullrich