0

I finally end up to write here because I´m badly struggling against apache, SSL/TLS and a client certificate authentication that should use the certificate´s Serial Number to restrict access to a specific API call.

better to explain with some details:

The user must be able to access:

https://{host}/apiv3xx/s?test without any problem and restriction but for the following url:

https://{host}/apiv3xx/x?action=login&user=blablabla a client certificate is required in order to perform the call. I thought to implement the following solution:

<Location /apiv3xx>
    SetEnv api 1
    SSLOptions +StdEnvVars -ExportCertData
    SSLVerifyClient optional
    SSLVerifyDepth 10
</Location>

and in addition some rewrite rules to control the logic:

RewriteCond %{REQUEST_URI} ^/apiv3xx/ [NC]
RewriteCond %{QUERY_STRING} action=log([^&]*)?(?=&|$) [NC,OR]
RewriteCond %{QUERY_STRING} action=adm([^&]*)?(?=&|$) [NC,OR]
RewriteCond %{QUERY_STRING} action=ctc([^&]*)?(?=&|$) [NC]
RewriteCond %{SSL:SSL_CLIENT_M_SERIAL} !(01000000000140AAD72ACCXXXXXX|02000000000140BAD37F1XXXXXXX)
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule (.*) - [F,L]

so... my problem now is simple: I´m not receiving any Serial number from the request and, logically, the Conditions are not satisfied.

I´ve spinned around the web for days searching for a solution and I found only this old article (from which I deduct my solution eventually) but it seems useless.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
zimaldone
  • 1
  • 1

1 Answers1

1

Record the SSL session with WireShark, then check the SSL ALERT protocol. This will help you understand the negotiation. Enable SSL debugging on the apache server. Check if the apache server is requesting the client to renegotiate the session and that the client is sending the certificate. If needed you can also decrypt the session if you have the server's RSA key and certificate.

Also on the client, you must make the server to be trusted. Otherwise the client will not send the certificate.

Please also note that SSL/TLS protocol was changed because of a renegotiation bug. The clients and servers that are using the different versions of the protocol are incompatible. See: CVE-2009-3555

You might need to enable:

SSLOptions +OptRenegotiate
Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
  • [rid#7b6e68/initial] (4) RewriteCond: input='' pattern='!(01000000000140AAD72ACxxxxx|02000000000140BAD37F1FExxxx)' => matched as you can see I´m not receiving any serial :( I´ll try to snoop the session and figure out what is wrong. I had the doubt that somehow these SSL variables are not available in the rewriteengine but I tried also to add them in the logs (the serial) and nothing ... empty fields :( – zimaldone Aug 29 '13 at 09:45
  • The client can not send the certificate after the SSL session is started. It must be a SSL renegotiation to add the client certificate later in the SSL conversation. If you do not see this renegotiation, that means that either the server did not ask for a renegotiation. The renegotiation can fail if the client doesn't provide a client certificate, because it does not have one. A valid "client certificate" is actually a PCKS12 keystore with a client certificate and a private key. – Mircea Vutcovici Aug 29 '13 at 14:56
  • actually I realised after several tests that the CLient negotiation starts somehow after that the rewrite rules are processed, thus it´s normal the no serial is provided in input. I´m trying now with a different solution. Thanks for your support. – zimaldone Aug 30 '13 at 10:34