CSS SSL and client certificate

Sbutzek · ‎06-07-2005

Hello,

In a situation where SSL Traffic is terminated on a SSL Module.

And having clients which to clientcertification.

There are 2 contents aviable on the webserver.

One for certified users and one for both.

Is there a way to restrict a path of a url to clients which performed a client cert?

And have all other content on that server aviable to both , certified and not certified clients?

Sven

Gilles Dufour · ‎06-07-2005

Sven,

how can you have clients doing client authentication and other bypassing authentication ?

Do you have 2 rules ?

Do you allow un-authenticated client to go through ?

Are you comparing client doing SSL and client using cleartext ?

If this is the case, you should create 2 rules, when for decrypted traffic and one for cleartext traffic.

Users hitting the cleartext traffic directly on a specific path would be redirected.

The same user hitting the decrypted rule would go through.

Gilles.

Sbutzek · ‎06-08-2005

Hi Gilles,

i have not described my problem at all.

Currently we are doing the SSL Termination on a webserver.

There are two locations specified in the apache config.

Like this:

location /webservices/onlytoca>

SSLVerifyClient require

SSLVeridfyDepth 0

So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.

The /content is allowed to all.

I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.

My question was, is there a way to restrict a url path to clients which did a client certification.

I can set up the ssl-server to ignore certificaton failures.

Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?

If not, a solution would be to have 3 contet_rules

one, which checks for a existing of http-header which is set when the request is cerfified.

There i can limit the URL to /webservices/toCaOnly/*

one cr, which allows any other content

one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.

I hope i wrote it down clear enough to understand.

Sven

Gilles Dufour · ‎06-08-2005

Sven,

I think you should enforce user to do clientauthentication and in case of failure redirect the user to another vip where client authentication is not required - could be the same ip but a different port like 444.

If you just allow users to go through if client authentication fails, I don't think the CSS will be able to distinguished a user that successfully passed authentication from one that failed.

If you insert text in the HTTP header, I'm not sure what should happen if the authentication fails.

Don't know if the text will still be included.

That's why I think a redirect on failure to another vip would be easier to implement.

Regards,

Gilles.

Sbutzek · ‎06-08-2005

Hello Gilles,

thanks for your fast response.

But that solution does not work by us.

May you know, there are some credit card companys (visa) which do some certification of System infrastructur in case of security.

As i know, they only allow port 80 and 443 inside the dmz. Thats what we are limited today.

So a request to 444, would never arrive my css, because it is behind a firwall.

So at all, there is no way to implement this on css like the apache weberser supports.

I opend a case, but the tac engeneer gave me the advice to do it via the http-header-rule and the http-header insertion.

Best Regards

Sven