Client Side Certificates Again

Discussion in 'Feedback/Feature Requests' started by cyberluk, Sep 16, 2007.

  1. cyberluk

    cyberluk New Member

    Hi!
    Is there any chance for such functionality in near feature? I would like to use LiteSpeed Server or Load Balancer as a SSL accelerator and proxy, in front of Sun Java System Application Server, but I need client side certificates.

    Regards,
    Lukasz Walkowski
  2. mistwang

    mistwang LiteSpeed Staff

    We could provide a simple client authentication feature in 3.3 if a feature like "SSLRequire" in Apache mod_ssl is not required. "SSLCARevocationPath" may not be available as well.

    Basic client authentication is easy to add, but "SSLRequire" and "Revocation" feature are not easy to implement.

    Is basic client authentication exactly what you need now?
  3. sofatime

    sofatime New Member

    SSLRequire would be a feature request from my side too. I am currently migrating a lsws installation to Apache because the client wants client side certificates.

    Edit: Sorry, I meant "SSLVerifyClient require". What do you mean by "basic client authentication"?
    Revocation is not needed in our case.
    Last edited: Sep 19, 2007
  4. mistwang

    mistwang LiteSpeed Staff

    Apache "SSLRequire" feature is a comprehensive SSL client certificate filtering feature.
    After some research about revocation, it could be handle by OpenSSL internally, so there should not be big deal to add that as well.

    We may provide client SSL authentication feature in our 3.3 release soon.
  5. sofatime

    sofatime New Member

    That would be cool.
  6. sofatime

    sofatime New Member

    This is what I would need:

    SSLVerifyClient
    SSLVerifyDepth
    SSLCACertificateFile

    I have moved the mentioned installation to Apache, but I already miss lsws and I would love to move it back...

    And then I would also need the variables in PHP like:
    _SERVER["SSL_CLIENT_VERIFY"]
    Last edited: Sep 20, 2007
  7. cyberluk

    cyberluk New Member

    Hi,
    As sofatime wrote, I would need this options:

    SSLVerifyClient
    SSLVerifyDepth
    SSLCACertificateFile

    Basic Client Authentication would be enabled on Sun App Server. It's because I need user login inside servlets and webeservices to check roles and privileges.
  8. mistwang

    mistwang LiteSpeed Staff

    It will be available in the upcoming 3.3 release.
  9. jnrey

    jnrey New Member

    error code -12227

    Hi Mistwang. Do you have any basic example on how to use SSLRequire with Litespeed ? Can it be included under Rewrite Rules or is a .htaccess file necessary ? I can't get it to work with my certificates although everything was configured by the book. Am getting error code -12227 (handshake) when activating Client Verification.

    Many thanks.
  10. mistwang

    mistwang LiteSpeed Staff

    You need to bind the listener to only one process due the SSL session cache.
    You need to set either 'CA Certificate Path' or 'CA Certificate File' to make the CA used to signed the client certificate available.
    "Client Verification" should be set to "required"
    "Verify Depth" to 1 or higher.
  11. QuantumNet

    QuantumNet New Member

    <Location /usr/fake/domains/dot.com/public_html/test>
    SSLRequireSSL
    SSLVerifyClient require
    SSLVerifyDepth 10
    </Location>


    WHy doesnt this work in the httpd.conf when using litespeed as a drop in apache replacement???
  12. mistwang

    mistwang LiteSpeed Staff

    SSL Client verification is a rarely used feature, it only supported in LSWS native configuration. Apache has tons of features, and new modules added by third party, we only support the most commonly used features.

    You can configure the SSL vhost in LSWS native configuration with SSL listener, it can coexist with vhost from Apache.
  13. QuantumNet

    QuantumNet New Member

    Thank you, I will try it.


    Seems odd that it is such a rarely used feature. seams to me developers who are working on websites and using subomains as develop, staging, testing directories would rather use certificates than have to enter a htaccess password over and over again.

Share This Page