* * * * *

                        Client certificates in Apache

I've been spending an inordinate amount of time playing around with Apache
[1], starting with mod_lua [2], which lead me to reconfigure both Apache
2.0.52 (which came installed by default) and Apache 2.3.5 (compiled from
source, because mod_lua is only available for Apache 2.3) so they could run
at the same time. This lead to using IPv6 (Internet Protocol version 6)
because I have almost two dozen “sites” running locally (and as I've found,
it's just as easy to use IPv6 addresses as it is IP (Internet Protocol)
addresses, although the DNS (Domain Name Service) PTR records get a little
silly [3]).

This in turn lead to installing more secure sites locally, because I can
(using TinyCA (Certificate Authority) [4] makes it trivial actually), and
this lead to a revamp of my secure site [5] (note: the link takes you to an
unsecure page—the actual secure site [6] uses a certificate signed by my
“certificate authority” which means you'll get a warning [7] which can be
avoided by installing the certificate from the unsecure site). And from
there, I learned a bit more about authenticating with client certificates
[8]. Specifically, isolating certain pages to just individual users.

So, to configure client side certificates, you need to create a client
certificate (easy with TinyCA as it's an option when signing a request) and
install it in the browser. You then need to install the certificate authority
certificate so that Apache can use it to authenticate against the client
certificate (um … yeah). In the Apache configuration file, just add:

> SSLCACertificateFile  /path/to/ca.crt>

Then add the appropriate mod_ssl [9] options to the secure site (client-side
authentication only works with secure connections). For example, here's my
configuration:

> <VirtualHost 66.252.224.242:443>
>   ServerName  secure.conman.org
>   DocumentRoot        /home/spc/web/sites/secure.conman.org/s-htdocs
>
>   # ...
>
>   <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
>     SSLRequireSSL
>     SSLRequire %{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories" \
>            and %{SSL_CLIENT_S_DN_OU} eq Clients"
>     SSLVerifyClient   require
>     SSLVerifyDepth    5
>   </Directory>
> </VirtualHost>
>

And in order to protect a single file with more stringent controls (and here
for example, is my bookmarks file):

> <VirtualHost 66.252.224.242:443>
>
>   # ...
>
>   <Location /library/bookmarks.html>
>     SSLRequireSSL
>     SSLRequire %{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories" \
>            and %{SSL_CLIENT_S_DN_CN} eq "Sean Conner"
>     SSLVerifyClient   require
>     SSLVerifyDepth    5
>   </Location>
> </VirtualHost>
>

The <Files> directive in Apache didn't work—I suspect because the <Directory>
directive is processed first and it allows anybody from the unit “Clients”
access and thus any <Files> directives are ignored, whereas <Location>
directives are processed before <Directory> directives, and thus anyone not
me is denied access to my bookmarks.

Now, I just need to figure out what to do about some recent updates to Apache
[10], since I have some “old/existing clients” to support (namely, Firefox 2
on my Mac, which I can't upgrade because I'm stuck at 10.3.9 on the system,
because the DVD (Digital Video Disc) player is borked … )

[1] http://httpd.apache.org/
[2] gopher://gopher.conman.org/0Phlog:2010/04/03.1
[3] http://en.wikipedia.org/wiki/Reverse_DNS_lookup#IPv6_reverse_resolution
[4] http://tinyca.sm-zone.net/
[5] http://secure.conman.org/
[6] https://secure.conman.org/
[7] http://lwn.net/Articles/295810/
[8] gopher://gopher.conman.org/0Phlog:2008/11/18.1
[9] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
[10] http://old.nabble.com/Reading-between-the-lines--changelog-td27799670.html

Email author at [email protected]