We have a Asp.Net 1.1 web services (https://dev-ms01/MsgService/default.asmx) running on IIS7 (win server 2008 standard), we have configured client certificate authentication in IIS and below is the .net
code for
ClientCertificate
authentication
private void Authenticate(DataTable dtUserMap,HttpContext context)
{
/// Convert the serial number from IIS to the DC format
/// which is: no dashs octets are in proper order.
string SerialNum = context.Request.ClientCertificate.SerialNumber.Replace("-","");
Debug.WriteLine("Authenticate User with cert = " + SerialNum);
/// get the column names from the table
string[] columnNames = new String[dtUserMap.Columns.Count];
/// populate the string array with the names
for(int i=0;i<dtUserMap.Columns.Count;i++)
{
columnNames[i] = dtUserMap.Columns[i].ColumnName;
}
/// Run a select query with the serial number
DataRow[] rows = dtUserMap.Select("SerialNumber='" + SerialNum + "'");
if (rows.Length==1){
/// the user exits
Debug.WriteLine("User Authenticated");
// further logic
}
else
{
/// either too many users or not any users
Debug.WriteLine("No single User Found");
context.Items.Add("IsAuthenticated",false);
}
}
We are setting up an apache2.4 server to support TLS 1.2 and also acts as proxy for the IIS , below is the apache configuarion
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
ServerName secure-dev-ms01
SSLEngine on
SSLProtocol -ALL TLSv1.2
SSLVerifyClient optional
SSLVerifyDepth 3
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/elm/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SSLProxyEngine On
SSLOptions +ExportCertData
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives
ProxyPass / http://dev-ms01:80/
ProxyPassReverse / http://dev-ms01:80/
RewriteEngine on
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
</VirtualHost>
When I browse the https://secure-dev-ms01/MsgService/default.asmx URL it is prompting for the client certificate and when I choose the client cert am not seeing the authorized content that am supposed to see, I suspect SSLOptions +ExportCertData
config of apache not forwarding the client certificate to IIS
.I couldn't find much info/articles on how to forward client certificate from apache to IIS.
Can someone please help me configuring apache with forward proxy for client certificate authentication to IIS?
Update 1:
Tried forwarding the requests to https://dev-ms01/
instead of http://dev-ms01:80/
and also setting the SSL_*
request headers in Apache VirtualHost as below, but still no luck
SSLProxyEngine On
SSLOptions +ExportCertData +StdEnvVars
#ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives
ProxyPass / https://dev-ms01/
ProxyPassReverse / https://dev-ms01/
RewriteEngine on
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
AFAIK, если Apache завершит запрос TLS, у IIS не будет никакого способа увидеть исходный сертификат клиента. Функция прокси-сервера Apache не может инициировать запрос https, который будет иметь исходный сертификат клиента, поскольку Apache не будет иметь доступа к связанному закрытому ключу.
Конфигурация SSLOptions + ExportCertData для apache, не пересылающего сертификат клиента в IIS
Это не то, что делает параметр ExportCertData
. Эти параметры просто устанавливают некоторые переменные среды, которые могут использоваться CGI или другими директивами в Apache. Он не передает этот сертификат волшебным образом. Вы даже используете некоторые из этих переменных в строках RequestHeader ...
Если вам действительно нужно проксировать ваши запросы в Apache, вам нужно будет обновить свое приложение за прокси, чтобы принять и доверять Заголовки HTTP, которые вы устанавливаете в Apache как эквивалент сертификата.