Possible to have different SSLCACertificateFiles under different Location in Apache (client side ssl certs)

Posted by Mikko Ohtamaa on Server Fault See other posts from Server Fault or by Mikko Ohtamaa
Published on 2012-09-15T20:58:53Z Indexed on 2013/11/02 15:54 UTC
Read the original article Hit count: 232

Filed under:
|
|
|

I am setting up Apache to do smartcard authentication. The smartcard login is based on client-side SSL certificates handled by an OS driver.

I have currently just one smartcard provider, but in the future there are potentially several of them. I am not sure how Apache 2.2. handles client-side certifications per Location. I did some quick testing and it somehow seemed that only the last SSLCACertificateFile directive would have been effective and this doesn't sound right.

Is it possible to have different SSLCACertificateFile per Location in Apache (2.2, 2.4) as described below or is SSL protocol somehow limiting that you cannot have more than one SSLCACertificateFile per IP?

Example potential config below how I wish to handle several SSLCACertificateFile on the same server to allow users to log in with different smartcard provides.

<VirtualHost 127.0.0.1:443>

    # Real men use mod_proxy
    DocumentRoot "/nowhere"

    ServerName local-apache
    ServerAdmin [email protected]

    SSLEngine on
    SSLOptions +StdEnvVars +ExportCertData

    # Server-side HTTPS configuration
    SSLCertificateFile /etc/apache2/certificate-test/server.crt
    SSLCertificateKeyFile /etc/apache2/certificate-test/server.key

    # Normal SSL site traffic does not require verify client
    SSLVerifyClient none
    SSLVerifyDepth 999

    # Provider 1
    <Location /@@smartcard-login>
        SSLVerifyClient require

        SSLCACertificateFile /etc/apache2/certificate-test/ca.crt

        # Apache does not natively pass forward headers
        # created by SSLOptions +StdEnvVars,
        # so we pass them forward to Python using RequestHeader
        # from mod_headers
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    </Location>

    # Provider 2
    <Location /@@smartcard-login-provider-2>
        # For real
        SSLVerifyClient require

        SSLCACertificateFile /etc/apache2/certificate-test/provider2.crt

        # Apache does not natively pass forward headers
        # created by SSLOptions +StdEnvVars,
        # so we pass them forward to Python using RequestHeader
        # from mod_headers
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    </Location>


    # Connect to Plone ZEO client1 running on fg
    ProxyPass             / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
    ProxyPassReverse      / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/

</VirtualHost>

© Server Fault or respective owner

Related posts about apache2

Related posts about ssl