0

I should enable ssl.verifyclient.* option for a single endpoint of the website, to proceed with certificate login or validation. But it is not working.

The configuration:

$HTTP["host"] =~ "^(.*\.|)example.com$"{    

    $SERVER["socket"] == ":443" {
        protocol     = "https://" 
        ssl.engine   = "enable" 
        ssl.disable-client-renegotiation = "disable" 

        #server.name = "example.com" 
        ssl.pemfile               = "/etc/lighttpd/ssl/example.com.pem" 
        ssl.ca-file               = "/etc/lighttpd/ssl/bundle-ca.pem" 

        ssl.honor-cipher-order = "enable" 
        #ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384" 
        #ssl.use-compression = "disable" 
        setenv.add-response-header = (
            "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
            "X-Frame-Options" => "DENY",
            "X-Content-Type-Options" => "nosniff" 
        )
        ssl.use-sslv2 = "enable" 
        ssl.use-sslv3 = "enable" 
        ssl.read-ahead = "enable" 
        #ssl.disable-client-renegotiation = "disable" 

        # It Works
        $HTTP["host"] == "ssl.example.com"{
            server.name = "ssl.example.com" 
            #ask for client cert
            ssl.verifyclient.activate   = "enable" 
            ssl.verifyclient.enforce    = "enable" 

            ssl.verifyclient.exportcert = "enable" 
            #ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
            ssl.verifyclient.depth      = 3
        }

        # It not Works
        $HTTP["url"] =~ "/backend/server/auth/ssl"  {
            #ask for client cert
            ssl.verifyclient.activate   = "enable" 
            ssl.verifyclient.enforce    = "disable" 

            ssl.verifyclient.exportcert = "enable" 
            #ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
            ssl.verifyclient.depth      = 10
        }
    }
}

Is it a bug or a mismatch configuration?

LeonanCarvalho
  • 620
  • 2
  • 5
  • 21

1 Answers1

1

It cannot work. SSL is negotiated before any HTTP requests are sent to the server.

When negotiating the SSL connection, client sends the virtual host name using the SNI feature in SSL. Client verification happens also during SSL connection negotiation.

Only after the SSL session has been established, the client will send "GET /path/to/resource" request to the web server.

You need to apply client verification for the whole domain.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58