Support

cyberluk · #1 09-16-2007, 11:28 AM

Hi!
Is there any chance for such functionality in near feature? I would like to use LiteSpeed Server or Load Balancer as a SSL accelerator and proxy, in front of Sun Java System Application Server, but I need client side certificates.

Regards,
Lukasz Walkowski

mistwang · #2 09-17-2007, 11:04 AM

We could provide a simple client authentication feature in 3.3 if a feature like "SSLRequire" in Apache mod_ssl is not required. "SSLCARevocationPath" may not be available as well.

Basic client authentication is easy to add, but "SSLRequire" and "Revocation" feature are not easy to implement.

Is basic client authentication exactly what you need now?

sofatime · #3 09-19-2007, 08:19 AM

SSLRequire would be a feature request from my side too. I am currently migrating a lsws installation to Apache because the client wants client side certificates.

Edit: Sorry, I meant "SSLVerifyClient require". What do you mean by "basic client authentication"?
Revocation is not needed in our case.

mistwang · #4 09-19-2007, 08:51 AM

Apache "SSLRequire" feature is a comprehensive SSL client certificate filtering feature.
After some research about revocation, it could be handle by OpenSSL internally, so there should not be big deal to add that as well.

We may provide client SSL authentication feature in our 3.3 release soon.

sofatime · #5 09-19-2007, 09:08 AM

That would be cool.

sofatime · #6 09-20-2007, 05:54 AM

This is what I would need:

SSLVerifyClient
SSLVerifyDepth
SSLCACertificateFile

I have moved the mentioned installation to Apache, but I already miss lsws and I would love to move it back...

And then I would also need the variables in PHP like:
_SERVER["SSL_CLIENT_VERIFY"]

cyberluk · #7 09-24-2007, 02:13 AM

Hi,
As sofatime wrote, I would need this options:

SSLVerifyClient
SSLVerifyDepth
SSLCACertificateFile

Basic Client Authentication would be enabled on Sun App Server. It's because I need user login inside servlets and webeservices to check roles and privileges.

mistwang · #8 09-24-2007, 10:08 AM

It will be available in the upcoming 3.3 release.

jnrey · #9 12-09-2007, 06:18 PM

Hi Mistwang. Do you have any basic example on how to use SSLRequire with Litespeed ? Can it be included under Rewrite Rules or is a .htaccess file necessary ? I can't get it to work with my certificates although everything was configured by the book. Am getting error code -12227 (handshake) when activating Client Verification.

Many thanks.

mistwang · #10 12-09-2007, 06:48 PM

You need to bind the listener to only one process due the SSL session cache.
You need to set either 'CA Certificate Path' or 'CA Certificate File' to make the CA used to signed the client certificate available.
"Client Verification" should be set to "required"
"Verify Depth" to 1 or higher.