[Macpartners] setting up PHP authentication via client certificates

Josh Aresty jaresty at MIT.EDU
Fri Apr 6 14:36:08 EDT 2007 

Thanks for all your help, Mike, Evan, and Jonathan.  It's working!

Best,
~Josh

On 4/6/07, Mike Moretti <mmoretti at mit.edu> wrote:
>
> Hi,
>
> In addition to what Jon Reed mentioned, you also need these:
>
>     SSLRequireSSL
>     SSLVerifyDepth 10
> and either
>     SSLVerifyClient require
> or
>     SSLVerifyClient optional
>
> -m
>
>
> Josh Aresty wrote:
> > Hi all,
> >   I was wondering if anyone here can point me to a good reference on how
> > to configure Apache, OpenSSL, and client certificates at MIT.
> >
> > I've been to http://web.mit.edu/apache-ssl/www/README.certificate  and
> to
> > http://nazzim.mit.edu/developers/article.php?story=20051221094844208
> >
> > and while I have been able to get mod_ssl up and running using the OS X
> > server certificates interface, phpinfo() still does not show the
> > SSL_DN_Client_Email or other SSL variables I would expect to see.  I
> > don't completely understand how certificates work, and I prefer to use
> > the OS X server interfaces for Apache because OS X server has a quirky
> > way of choosing how to organize sites (and that makes me nervous to move
> > things around too much).
> >
> > The section of the apache configuration that seems to be concerned with
> > this says:
> >
> >         <IfModule mod_ssl.c>
> >                 SSLEngine On
> >                 SSLLog "/var/log/httpd/ssl_engine_log"
> >                 SSLCertificateFile
> > "/System/Library/OpenSSL/certs/dev-llarc.pem"
> >                 SSLCertificateKeyFile
> > "/System/Library/OpenSSL/private/server_key.pem"
> >                 SSLCipherSuite
> > "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL"
> >                 SSLCACertificateFile
> > "/System/Library/OpenSSL/certs/mitca.crt"
> >                 SSLCertificateChainFile
> > "/System/Library/OpenSSL/certs/mitca.crt"
> >         </IfModule>
> >
> > Can anyone offer me insight?  The dev-llarc file is the file I received
> > after generating the request, and the server_key is the other file that
> > was generated before (and I did not send it to mitcert at mit.edu
> > <mailto:mitcert at mit.edu>). mitca.crt is from the MIT certificates page.
> >
> > I would also appreciate chatting on the phone, or in person if you have
> > the time.  Thanks.
> >
> > Best,
> > ~Joshua Aresty
> > MIT LLARC Programmer/Analyst
> > 3-4598
> >
>
> --
> Mike Moretti
> IDD - Technical Services
> SAIS - IS&T - MIT
> 617-253-1308
> mmoretti at mit.edu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20070406/d5cc587f/attachment.htm

More information about the Macpartners mailing list