Client Side Certificates Again

#1
Hi!
Is there any chance for such functionality in near feature? I would like to use LiteSpeed Server or Load Balancer as a SSL accelerator and proxy, in front of Sun Java System Application Server, but I need client side certificates.

Regards,
Lukasz Walkowski
 

mistwang

LiteSpeed Staff
#2
We could provide a simple client authentication feature in 3.3 if a feature like "SSLRequire" in Apache mod_ssl is not required. "SSLCARevocationPath" may not be available as well.

Basic client authentication is easy to add, but "SSLRequire" and "Revocation" feature are not easy to implement.

Is basic client authentication exactly what you need now?
 

sofatime

Well-Known Member
#3
SSLRequire would be a feature request from my side too. I am currently migrating a lsws installation to Apache because the client wants client side certificates.

Edit: Sorry, I meant "SSLVerifyClient require". What do you mean by "basic client authentication"?
Revocation is not needed in our case.
 
Last edited:

mistwang

LiteSpeed Staff
#4
Apache "SSLRequire" feature is a comprehensive SSL client certificate filtering feature.
After some research about revocation, it could be handle by OpenSSL internally, so there should not be big deal to add that as well.

We may provide client SSL authentication feature in our 3.3 release soon.
 

sofatime

Well-Known Member
#6
This is what I would need:

SSLVerifyClient
SSLVerifyDepth
SSLCACertificateFile

I have moved the mentioned installation to Apache, but I already miss lsws and I would love to move it back...

And then I would also need the variables in PHP like:
_SERVER["SSL_CLIENT_VERIFY"]
 
Last edited:
#7
Hi,
As sofatime wrote, I would need this options:

SSLVerifyClient
SSLVerifyDepth
SSLCACertificateFile

Basic Client Authentication would be enabled on Sun App Server. It's because I need user login inside servlets and webeservices to check roles and privileges.
 
#9
error code -12227

Hi Mistwang. Do you have any basic example on how to use SSLRequire with Litespeed ? Can it be included under Rewrite Rules or is a .htaccess file necessary ? I can't get it to work with my certificates although everything was configured by the book. Am getting error code -12227 (handshake) when activating Client Verification.

Many thanks.
 

mistwang

LiteSpeed Staff
#10
You need to bind the listener to only one process due the SSL session cache.
You need to set either 'CA Certificate Path' or 'CA Certificate File' to make the CA used to signed the client certificate available.
"Client Verification" should be set to "required"
"Verify Depth" to 1 or higher.
 

QuantumNet

Well-Known Member
#11
<Location /usr/fake/domains/dot.com/public_html/test>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
</Location>


WHy doesnt this work in the httpd.conf when using litespeed as a drop in apache replacement???
 

mistwang

LiteSpeed Staff
#12
SSL Client verification is a rarely used feature, it only supported in LSWS native configuration. Apache has tons of features, and new modules added by third party, we only support the most commonly used features.

You can configure the SSL vhost in LSWS native configuration with SSL listener, it can coexist with vhost from Apache.
 

QuantumNet

Well-Known Member
#13
Thank you, I will try it.


Seems odd that it is such a rarely used feature. seams to me developers who are working on websites and using subomains as develop, staging, testing directories would rather use certificates than have to enter a htaccess password over and over again.
 
Top