summaryrefslogtreecommitdiffstats
path: root/README.SSL
blob: fe81e9911a33e6e91c8a36d83b078de5dc6ec0fd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
To use authentic with SSL authentication your must configure Apache to do so.
Here is an example of an Apache virtual host to use SSL client authentication:

<VirtualHost 127.0.0.1:80>
ServerName authentic.localhost
Include /home/bdauvergne/wd/authentic-apache2.conf
</VirtualHost>

<VirtualHost 127.0.0.1:443>
ServerName authentic.localhost
LogLevel debug
Include /home/bdauvergne/wd/authentic-apache2.conf
SSLEngine on
SSLCertificateFile /etc/apache2/certificates/localhost-wildcard.pem
SSLVerifyClient none

<Location /login_ssl>
SSLVerifyClient optional_no_ca
SSLOptions +StdEnvVars +ExportCertData
</Location>

<Location "/associate_certificate">
SSLVerifyClient optional_no_ca
SSLOptions +StdEnvVars +ExportCertData
</Location>
</VirtualHost>

As you can see we do not force SSL client verification on the full site, so as
to permit other kind of authentications without spurious dialog asking you for
a certificate.  We could use «SSLVerifyClient optional» on the full site but it
would ask even user logging in with a password for a certificate (they can
still select the cancel button, bit it stil waste their time). The other
problem with «optional» and «require» value for SSLVerifyClient is that they do
not work with certificate coming from an unknown CA or self-signed. These kind
of certificate are still a strong authentication for any user, stronger than a
shared secret sent in the clear.

A current problem is that authentic do not generate a new cookie when
authenticating with ssl and do not set it with the 'secure' flag that would
prevent the navigator to release upon a not secured plain HTTP connection.

Another problem is that we do not use the SSL session_id as a persistent cookie
instead of a simple HTTP cookie, so an attacker can still do a MITM attack
after the authentication. If the user is stupid enough to accet an hijacked SSL
session and a clik throught the warning of the navigator, then the attacker can
steal the HTTP secure cookie.