Validating SSL clients using a list of authorised certificates instead of a Certificate Authority

apache-2.2 ssl ssl-certificate mod-ssl

Is it possible to configure Apache (or any other SSL-aware server) to only accept connections from clients presenting a certificate from a pre-defined list? These certificates may be signed by any CA (and may be self-signed).

A while back I tried to get client certificate validation working in the EPP system of the domain registry I work for. The EPP protocol spec mandates use of "mutual strong client-server authentication". In practice, this means that both the client and the server must validate the certificate of the other peer in the session.

We created a private certificate authority and asked registrars to submit CSRs, which we then signed. This seemed to us to be the simplest solution, but many of our registrars objected: they were used to obtaining a client certificate from a CA, and submitting that certificate to the registry. So we had to scrap the system. I have been trying to find a way of implementing this system in our server, which is based on the mod_epp module for Apache.


Solution 1:

It may be possible to do with just the core mod_ssl, using SSLRequire. Im not sure the exact SSL variable you would want, but something like this should work:

SSLRequire %{SSL_CLIENT_S_DN_UID} in { file("/tmp/list") }

Alternatively, you can map some certificate attribute to the user name that usually comes from HTTP Authentication (.htaccess type restrictions):

.htaccess:

SSLOptions +FakeBasicAuth SSLUserName SSL_CLIENT_S_DN_CN AuthGroupFile /tmp/SSL_Groups Require group my-users

/tmp/SSL_Groups:

my-users: uid=bob,dc=site,dc=com uid=jane,dc=site,dc=com

Again, I'm not 100% on what SSL_CLIENT_S_DN_CN looks like, but you get the point.

Solution 2:

You should be able to setup a directory with all the CA certificates you trust and then point at that with the SSLCACertificatePath directive so you can authenticated based on any certificate. Then as Jeff mentioned use SSLRequire to limit access to the set of certificates you want to permit.

If your system doesn't already have a set of common CAs certs installed then you could copy them from somewhere else. The Debian the ca-certificates package may be a good starting point.

Related

How many rewrite rules should I expect to manage? [closed]
The difference between ping and pathping command? [duplicate]
How to backup database dumps which only minor changes between the backups?
FTP server ubuntu
Transform data to a new structure
Windows10 not able to download update from WSUS
How to customize email FROM header with an email from a different domain?
Change interface for doing a whois
equivalent to CDN but for dynamical content?
Giving user exact amount of MySQL databases
Running SVN as a service on Windows Server 2003
Installing SQL Server 2008 32bit on 64bit : WoW64 error