All entries for Wednesday 07 June 2006
June 07, 2006
I've always run any SSL I need on Tomcat on Windows as it was just really easy and less complicated and messy than getting Apache to work with SSL on Windows. Unfortunately I eventually needed to do it because of the extra power of Apache in that you can set different SSL options under different directories.
If you need to do client certificate authentication in Tomcat it is easy, but that is it, everything under that port is now protected with client auth.
In Apache you can do this:
... <Location /clientauth> SSLVerifyClient require SSLVerifyDepth 2 </Location> ...
Kindly a few people have written up some instructions on this:
Apache and SSL on Windows
Someone has also pre–built a Windows version of Apache with SSL built in:
Hunter Apache SSL builds as Apache doesn't provide it because they believe Windows is just not secure enough and allowing SSL on Windows lulls people into a false sense of security.
Anyway, most of it worked, but I just couldn't get Apache to trust my client certificates. The problem was this:
SSLEngine On SSLCertificateFile conf/ssl/my.crt SSLCertificateKeyFile conf/ssl/my.key SSLCACertificatePath conf/ssl.crt SSLCACertificateFile conf/ssl.crt/cabundle.crt
If you put certificates in the conf/ssl.crt path, when Apache starts up, it lists them all nicely saying that it has found them all, but will it trust them, will it hell. Only if you specifically put the certificate in the cabundle.crt (or whatever you've set SSLCACertificateFile to) will it work! Gah!
Anyway, working now so soon we should have a test membership of the SDSS federation so that we can do further tests on our Shibboleth SSO system.