top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Client certificate revocation checking when using Apache

+1 vote
661 views

In our application we use authentication based on client ssl certificate. I've found out that the checking of client cert revocation is not done automatically, if the Crl Distribution Point is present in client certificate. Is it an intention or only not done yet?

The only way how to do revocation checking is to configure SSLCARevocationPath or SSLCARevocationFile.

The world of certificates is full of mess. Crl Distribution Point is not mandatory. So if it is not present, it is the last chance to do checking thorugh SSLCARevocation* vars. So they have their meaning. I've found a discussion about reloading values of SSLCARevocation*

http://markmail.org/message/nrhnyd6dppl25uxj

"CRL refreshing should also be taken into account; killing and restarting a webserver every hour or every day because we downloaded a new CRL is not a viable solution in a production environment, and OCSP
is not always a good answer (we're not talking about a sub-minute revocation status)."

So my question is. Is the CRL refreshing (reload of CRL files) done in the current Apache versions? And in the end, what about OCSP - is it supported?

posted Jul 8, 2013 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
0 votes

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by Require local auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I would like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I am not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient.

Thanks in advance?

+3 votes

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+2 votes

I'm using multi ipaddress setup with virtual hosts to support different certificates.

For one of the hosts we currently don't have DNS pointing to the right IP so I edited my hosts file to point myextended.host.com at the relevant IP. This host has a GlobalSign extended cert. We want to check the setup before going live.

On windows I checked that all the popular browsers see my extended certificate and see green url bars ok.

On linux chromium shows green, but on one machine firefox shows untrusted and on another it shows green.

Is there a way to check the certificate setup from a linux box without having the correct dns in place? I normally use GlobalSign's test stuff, but that won't work without the right dns in place.

+4 votes

We want to set up SSL client authentication and we will only have a single client that we want to allow through to the website.

Is it possible to allow just a single certificate to authenticate by just specifying that one cert in SSLCACertificateFile? i.e. without specifying the CA cert instead?

If so, would my SSLVerifyDepth then be zero?

Are there any reasons I might not have thought about why this isn't a good idea or any other considerations?

...