Project

General

Profile

Advanced certificate based authentication

Added by jddupas about 14 years ago

Hello,

I would like to setup certificat based authentication, and allow or deny access based on client certificate fields like SSL_CLIENT_S_DN_CN or any other x509 field.

SSL server and client certificate validation works fine, but know, I wonder if lighty provides a way to use the client fields to check access.

I'm actually doing this on a mod_ssl based server using the SSLRequire directive.

Is there something like that on lighty.

Thanks


Replies (5)

RE: Advanced certificate based authentication - Added by mezza9 about 14 years ago

I had client side SSL working a few months ago, though now it's broken for me and I can't get it to work. Would be grateful if you could share your notes.

To get the SSL_CLIENT_S_DN_CN passed through to my applications, I had the following config:

$SERVER["socket"] == "192.168.1.65:8443" {
ssl.engine = "enable",
ssl.pemfile = "/path/to/cert.pem",
ssl.ca-file = "/path/to/crtchain.crt",
ssl.verifyclient.activate = "enable",
ssl.verifyclient.enforce = "enable",
ssl.verifyclient.depth = 2,
ssl.verifyclient.exportcert = "enable",
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
}

Then in my application I could fetch the SSL_CLIENT_S_DN_CN by querying the request environment variables, eg:

request.env['REMOTE_USER']

HTH, and look forward to seeing your notes.

RE: Advanced certificate based authentication - Added by jddupas about 14 years ago

My configuration is very similar to your config.

$SERVER["socket"] == "0.0.0.0:8443" {
  server.name = "localhost" 
  ssl.pemfile = "/opt/lighty/localhost.pem" 
  ssl.engine  = "enable" 
  ssl.ca-file = "/opt/lighty/ca.pem" 
  server.document-root = server_root + "/pages/" 

  ssl.verifyclient.exportcert = "enable" 
  ssl.verifyclient.activate   = "enable" 
  ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
  ssl.verifyclient.enforce    = "enable" 
  ssl.verifyclient.depth      = 3
}
And I managed to get anything I need in my script:
  • The user name in REMOTE_USER.
  • The PEM client certificate in SSL_CLIENT_CERT.
  • Any field extracted from the client cert like SSL_CLIENT_S_DN_EMAILADDRESS.

Of course, I can implements auth restriction in my script using theses variables, but that's not what I'm trying to do. I need the restriction at the server level as it is used to access a bunch of applications and I can't modify all of them to take care of this.

The only tricky part IMHO is setting up a valid CA and generate client certificates. So, make sure all your certificates are valid:
  • Check expiration date for each cert in the chain
  • Make sure your ca-file contains the complete chain from your cert to the root, etc…
  • Also, make sure the lighty process has the right to read your files, that your private key is not crypted, and check the lighty error log to see if you can get an hint about what goes wrong.

RE: Advanced certificate based authentication - Added by mezza9 about 14 years ago

Thanks for that. Our configs are the same pretty much, so it must be a certificate issue. Out of curiosity, are you using self-signed certs or have you used a commercially signed cert to do the client authentication?

To answer your question, I've never been able to use variables in lighttpd to do conditionals, and all I could find in the docs seems to indicate (http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:Configuration) the external script approach - as you've taken - is all that's available.

RE: Advanced certificate based authentication - Added by jddupas about 14 years ago

Thank you for the pointer.

To answer your question, I'm using a self signed certificate.

RE: Advanced certificate based authentication - Added by Georg about 14 years ago

It would be great if anyone could post how to create the required files for authentication.
ssl.pemfile, ssl.ca-file and the client files.

Thanks!

    (1-5/5)