Thursday, November 28, 2019

Bi-Direction Authentication with Apache and Curl

Server: apache01.goweekend.ca
Client: client01.goweekend.ca

Request Server Certificate for apache01.goweekend.ca, apache01.pem
apache01.key.encrypted, apache01.key

Request Client or Server-Client Certificate for client01.goweekend.ca, client01.pem
client01.key.encrypted, client01.key

Download Root or Sub Certificates

ca.pem
sub.pem


cat sub.pem > server-full-chain.pem
cat ca.pem >> server-full-chain.pem

cat client01.pem > client01-full-chain.pem
cat sub.pem >> client01-full-chain.pem
cat ca.pem >> client01-full-chain.pem


LISTEN 8443
LogLevel debug
<VirtualHost *:8443>
  DocumentRoot "/usr/share/helloworld"
  ServerName apache01.goweekend.ca:3443

  ServerAdmin fei@goweekend.ca
  SSLEngine on
  SSLCertificateFile /etc/httpd/certs/apache01.crt
  SSLCertificateKeyFile /etc/httpd/certs/apache01.key

  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLCACertificateFile /etc/httpd/certs/cot-full-chain.pem
  <location />
    Order allow,deny
    allow from all
    ##SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "risk")
   SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "risk" or %{SSL_CLIENT_S_DN_CN} in {"mjackson", "jsina"})

    ###SSLRequire (%{SSL_CLIENT_S_DN_CN} eq "client01.goweekend.ca")
 </location>
  CustomLog /var/log/httpd/goweekend_ssl.log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b \"%{SSL_CLIENT_S_DN_CN}x\""

  #ProxyPass / http://127.0.0.1/
  #ProxyPassReverse / http://127.0.0.1/
</VirtualHost>

###################################################
SSLRequire Sample

    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    #</Location>

# curl -vv --cert /root/certs/client01.pem --cacert /root/certs/client01-full-chain.pem  --key /root/certs/dynamics.key https://github.csd.toronto.ca:3443


Notes:
1. make sure the merged certificates separated lines on different line2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

2. remove special character in the Certificates and CA Certifactes, especially the file is created in windows, then transfer to unix/linux

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)