Add a README file for SSL support
* README.SSL: this file contains a configuration example for using authentic SSL support with apache.
This commit is contained in:
parent
b4ec376bf1
commit
3106c3adb5
|
@ -0,0 +1,46 @@
|
|||
To use authentic with SSL authentication your must configure Apache to do so.
|
||||
Here is an example of an Apache virtual host to use SSL client authentication:
|
||||
|
||||
<VirtualHost 127.0.0.1:80>
|
||||
ServerName authentic.localhost
|
||||
Include /home/bdauvergne/wd/authentic-apache2.conf
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost 127.0.0.1:443>
|
||||
ServerName authentic.localhost
|
||||
LogLevel debug
|
||||
Include /home/bdauvergne/wd/authentic-apache2.conf
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/apache2/certificates/localhost-wildcard.pem
|
||||
SSLVerifyClient none
|
||||
|
||||
<Location /login_ssl>
|
||||
SSLVerifyClient optional_no_ca
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
</Location>
|
||||
|
||||
<Location "/associate_certificate">
|
||||
SSLVerifyClient optional_no_ca
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
||||
As you can see we do not force SSL client verification on the full site, so as
|
||||
to permit other kind of authentications without spurious dialog asking you for
|
||||
a certificate. We could use «SSLVerifyClient optional» on the full site but it
|
||||
would ask even user logging in with a password for a certificate (they can
|
||||
still select the cancel button, bit it stil waste their time). The other
|
||||
problem with «optional» and «require» value for SSLVerifyClient is that they do
|
||||
not work with certificate coming from an unknown CA or self-signed. These kind
|
||||
of certificate are still a strong authentication for any user, stronger than a
|
||||
shared secret sent in the clear.
|
||||
|
||||
A current problem is that authentic do not generate a new cookie when
|
||||
authenticating with ssl and do not set it with the 'secure' flag that would
|
||||
prevent the navigator to release upon a not secured plain HTTP connection.
|
||||
|
||||
Another problem is that we do not use the SSL session_id as a persistent cookie
|
||||
instead of a simple HTTP cookie, so an attacker can still do a MITM attack
|
||||
after the authentication. If the user is stupid enough to accet an hijacked SSL
|
||||
session and a clik throught the warning of the navigator, then the attacker can
|
||||
steal the HTTP secure cookie.
|
Reference in New Issue