Thursday, December 2, 2010

Apache and client side SSL certificate verification

To require client SSL certificate verification, add this to your apache config:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/ssl/ca_that_signed_client_certs.pem

And to log what is going on with the SSL client cert verification, use something like this:

ErrorLog /var/log/apache2/error.log
LogLevel info

CustomLog /var/log/apache2/access.log combined

CustomLog /var/log/apache2/ssl.log "%t %h %{SSL_PROTOCOL}x verify:%{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_S_DN}x \"%r\" %b"

No comments: