Validating SSL clients using a list of authorised certificates instead of a Certificate Authority

Is it possible to configure Apache (or any other SSL-aware server) to only accept connections from clients presenting a certificate from a pre-defined list? These certificates may be signed by any CA (and may be self-signed).

A while back I tried to get client certificate validation working in the EPP system of the domain registry I work for. The EPP protocol spec mandates use of "mutual strong client-server authentication". In practice, this means that both the client and the server must validate the certificate of the other peer in the session.

We created a private certificate authority and asked registrars to submit CSRs, which we then signed. This seemed to us to be the simplest solution, but many of our registrars objected: they were used to obtaining a client certificate from a CA, and submitting that certificate to the registry. So we had to scrap the system. I have been trying to find a way of implementing this system in our server, which is based on the mod_epp module for Apache.


Solution 1:

It may be possible to do with just the core mod_ssl, using SSLRequire. Im not sure the exact SSL variable you would want, but something like this should work:

SSLRequire %{SSL_CLIENT_S_DN_UID} in { file("/tmp/list") }

Alternatively, you can map some certificate attribute to the user name that usually comes from HTTP Authentication (.htaccess type restrictions):

.htaccess:

SSLOptions +FakeBasicAuth SSLUserName SSL_CLIENT_S_DN_CN AuthGroupFile /tmp/SSL_Groups Require group my-users

/tmp/SSL_Groups:

my-users: uid=bob,dc=site,dc=com uid=jane,dc=site,dc=com

Again, I'm not 100% on what SSL_CLIENT_S_DN_CN looks like, but you get the point.

Solution 2:

You should be able to setup a directory with all the CA certificates you trust and then point at that with the SSLCACertificatePath directive so you can authenticated based on any certificate. Then as Jeff mentioned use SSLRequire to limit access to the set of certificates you want to permit.

If your system doesn't already have a set of common CAs certs installed then you could copy them from somewhere else. The Debian the ca-certificates package may be a good starting point.