1

I am looking for a neat security implementation for clients to talk to my Apache instance.Its basically a system to system API communication and not involves any clients outside the organisation. What we have implemented so far looks like below,

  1. We created a client key and generated a CSR.
  2. CSR signed by the Organisation CA.
  3. Out Certificate combined with the Client private key and generated the pfx. The same has been shared to the API caller system.

The below modifications has been made to the Apache httpd.conf

SSLVerifyClient require SSLVerifyDepth 3 <Location /> SSLRequire %{SSL_CLIENT_S_DN_CN} eq "client_cn_name" </Location>

Is this the right approach? The problem here is there is no server side validation,in the sense nowhere its handshaking with the Apache instance. The client cert is directly under the Root cert. I was thinking is it a good idea to sign the client csr by the Apache domain private key which is actually issued by Organisation CA?

Also could someone explain how this SSLRequire directive will behave. I tried to generate a self signed cert that looks similar to the client cert with same CN for root and client. But the handshake didn't go well, however I am not sure if there is any vulnerability chance that a self signed cert can pass this security?

Appreciate your thoughts.

Improve this question

1 Answer 1

Reset to default
0

You can sign the client certs with either the organization cert, or the Apache server cert. Whichever one you use, be sure to put it into a SSLCACertificateFile directive, for example:

SSLCACertificateFile /path/to/apache/cert

As the documentation for SSLCACertificateFile says, this is the file of "certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication." So this will ensure that for a client cert to be accepted, it has to be signed by that certificate and key. If you use the Apache server cert for this, you're treating it as an intermediate signing cert for the client certs.

Note that SSLRequire is deprecated. The docs say that this does the same thing:

Require expr %{SSL_CLIENT_S_DN_CN} eq "client_cn_name"

and this helps to make clear that there's no SSL certificate checking involved; it's just checking whether the expression is true.

Improve this answer
4
  • Say for example if I use a cert signed by Organisation CA, and use the above SSLRequire directive to validate CN, would that be sufficient? Do we need the CA cert file location still? Commented Nov 28, 2020 at 13:15
  • Was wondering if client creates a self signed cert with same CN and tries to authenticate where Apache hasn't configured with CA cert file location could pass authentication? Just SSLRequire %{SSL_CLIENT_S_DN_CN} eq "client_cn_name" is really verifying the signature? Commented Nov 28, 2020 at 13:27
  • Response edited to say that SSLRequire is deprecated. You should use Require instead. And no, SSLRequire doesn't do any SSL checking. It's just an expression checker. Commented Nov 28, 2020 at 15:06
  • No, I think that without SSLCACertificateFile, Apache isn't verifying the client cert signature - just that a cert is present. Commented Nov 28, 2020 at 15:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.