2

I would like to know if there is a way to redirect a browser from a webpage, if it hasn't presented a valid client certificate.

For example:

This section on my website requires a mutual SSL authentication:

subdomain.domain.com

This is the main section of my website, and it's public:

domain.com

The client certificates for the authentication are issued by my own CA, self signed. The server certificate same. The "known" clients have also my CA added to their trusted CA store.

If there's a 3rd party client without the a valid client certificate accessing subdomain.domain.com it shall be redirected to domain.com

I'm thinking about some configuration in the VHOSTs area. I played around with 

RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS

or with

SSLVerifyClient optional / required / optional_no_ca

but it didnt seem to work as I'd like to have it.

I've found this article http://mail-archives.apache.org/mod_mbox/httpd-docs/201204.mbox/%3Ch15hm6ny7srm9zeidijezwJv4X.penango@mail.gmail.com%3E

and somehow understood what it's saying but am not sure if there isn't another way to go around it, or maybe it was fixed in the meanwhile (not just the documentation)

Thank you.

SetMeUp
  • 31
  • 1
  • 2

2 Answers2

5

I think you are on the right track. Apache's mod_ssl will set some Apache environment variables when there is a valid client certificate presented to the server. The following configuration block should redirect if the SSL_CLIENT_S_DN_CN Apache environment variable is empty.

<Location /path/to/protect/>
    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions      +StdEnvVars

    RewriteEngine   on
    RewriteCond     %{SSL:SSL_CLIENT_S_DN_CN} =""
    RewriteRule     (.*) http://domain.com
</Location>

If the client certificate is not provided with the request, then SSL_CLIENT_S_DN_CN will be empty and that is used as the rewrite criteria.

Hope this helps.

stackoverflow
  • 51
  • 1
  • 2
1

Here is my configuration for this task

<Directory "c:/inetPub/../sd">

    SSLVerifyClient optional
    SSLVerifyDepth  1

    RewriteEngine   on
    RewriteCond     %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
    RewriteRule     (.*) http://other_domain.com [R]
</Directory>
Solo.dmitry
  • 690
  • 8
  • 15