httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "RESEAU Sen-Francois - CETE SO/DIM/CS" <Sen3.Res...@i-carre.net>
Subject [users@httpd] Issue with HTTPS mutual authentication using Apache2.2 as a reverse proxy
Date Tue, 07 Sep 2010 14:25:22 GMT
Hi everybody,

i'm currently configuring mutual authentication between an Apache2.2 
Reverse Proxy and another backend Webserver product.
the link channel is :

User BROWSER --HTTPS(simple auth)--> Reverse Proxy (Apache2.2) --> 
HTTPS(mutual auth) --> Backend webserver

The client certificate i use has been signed by an intermediate 
authority (the chain is composed by 4 CA).
Unfortunately, the backend server can only send the top level CA's DN in 
the "Acceptable client certificate CA names" as part of the TLS proposal 
process.

Moreover, it seems that Apache2.2 needs all the DN of the CA authorities 
that constitute the CA chain in this proposal.
Actually, if it's not the case, Apache2.2 does not select any certificate :

 >> Proxy client certificate callback: (mywebsite.mydomain.com:443) no 
client certificate found!?

This config is working great when the backend server is also an 
Apache2.2 webserver.


So first, is it correct ? and if it's not, what do i need to configure 
the web server in order to make it working!


Thanks in advance,


PS :

You can find here-below some of my reverse proxy vhost config :

SSLEngine on
SSLCertificateFile my_ssl_server_certificate.crt
SSLCertificateKeyFile my_ssl_server_key.key
SSLCACertificateFile my_ssl_server_ca.pem

SSLProxyEngine on
SSLProxyMachineCertificateFile my_ssl_client_cert_and_key.pem
SSLProxyVerify require
SSLProxyVerifyDepth 3
SSLProxyCACertificateFile backend_ca_cert.pem


Fran├žois S.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message