Apache – Restrict access using SSL certs

apachecpanelssl

is there a way to restrict access to a website, running Apache via cPanel, using SSL (like CTLs on IIS/Windows)?

I.E, the user has to have an ssl certificate installed/issued to be able to access the site.

Best Answer

This is certainly possible, through the SSLRequire directive. The most trivial setup is to formulate %{SSL_CLIENT_VERIFY} eq "SUCCESS". This also requires settting SSLVerifyClient and SSLCACertificatePath, as well as to install the trusted CA certificates.

Related Solutions

C# – Could not establish trust relationship for SSL/TLS secure channel — SOAP

The following snippets will fix the case where there is something wrong with the SSL certificate on the server you are calling. For example, it may be self-signed or the host name between the certificate and the server may not match.

This is dangerous if you are calling a server outside of your direct control, since you can no longer be as sure that you are talking to the server you think you're connected to. However, if you are dealing with internal servers and getting a "correct" certificate is not practical, use the following to tell the web service to ignore the certificate problems and bravely soldier on.

The first two use lambda expressions, the third uses regular code. The first accepts any certificate. The last two at least check that the host name in the certificate is the one you expect.
... hope you find it helpful

//Trust all certificates
System.Net.ServicePointManager.ServerCertificateValidationCallback =
    ((sender, certificate, chain, sslPolicyErrors) => true);

// trust sender
System.Net.ServicePointManager.ServerCertificateValidationCallback
                = ((sender, cert, chain, errors) => cert.Subject.Contains("YourServerName"));

// validate cert by calling a function
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);

// callback used to validate the certificate in an SSL conversation
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
    bool result = cert.Subject.Contains("YourServerName");
    return result;
}

Git – SSL certificate rejected trying to access GitHub over HTTPS behind firewall

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:
```
$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
  awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash
```
Important: In order to use c_rehash you have to install openssl-perl too.
Ignore SSL certificate verification.

WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.
```
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
```

Best Answer

Related Solutions

C# – Could not establish trust relationship for SSL/TLS secure channel — SOAP

Git – SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Related Topic