In this post I'm about to explain how to configure Apache Web server for Two Way SSL Authentication alone and how to configure Two Way SSL Authentication for a Certain Domain URL Locations and the mixture of both One Way standar SSL authentication and Two Way Handshake Authentication .
Generally before starting I have to say most Web sites does not require a Mutual SSL Authentication (the so called Two-Way SSL).
In most configurations Apache Web server is configured for One Way Basic authentication where The Web server authenticates to the Client usuall that's Browser program such as Mozilla Firefox / Chrome / IE / Epiphany whatever presenting certificate signed by Trustable Certificate Authority such as VeriSign.
The authority then autneticates to the browser that the Installed certificate on the Apache Web Server is trustable and the website is not a fraudulant, that is especially important for websites where sensitive data is being transferred, lets say Banks (Doing Money Transfers online), Hospitals (Transfelling your Medical results data) or purchasing something from Amazon.com, Ebay.Com, PayPal etc.
Once client validates the certificate the communication line gets encrypted based on Public Key, below diagram illustrates this.
However in some casis where an additional Security Hardening is required, the Web Server might be configured to require additional certificate so the authentication between Client -> Server doesn't work by certificating with just a Server provided certificate but to work Two Ways, e.g. the Client might be setup to also have a Trusted Authority Certificate and to present it to server and send back this certificate to the Server as well for a mutual authentication and only once the certificate handshake between;
client -> server and server -> client
is confirmed as successful the two could establish a trustable encypted SSL channel over which they can talk securely this is called
Two way SSL Authentication.
1. Configure Two Way SSL Authentication on Apache HTTPD
To be able to configure Two Way SSL Authentication handshake on Apache HTTPD just like with One way standard one, the mod_ssl Apache module have to enabled.
Enabling two-way SSL is usually not done on normal clients but is done with another server acting as client that is using some kind of REST API to connect to the server
The Apache directive used for Mutual Authentication is SSLVerifyClient directive (this is provided by mod_ssl)
the options that SSLVerifyClient receives are:
none: instructs no client Certificate is required
optional: the client is allowed to present a valid certificate but optionally
require: the client is always required to present a valid Certificate for mutual Authenticaton
optional_no_ca: the client is asked to present a valid Certificate however it has to be successfully verified.
In most of Apache configuratoins the 2 ones that are used are either none or require
because optional is reported to not behave properly with some of the web browsers and
optional_no_ca is not restrictive and is usually used just for establishing basic SSL test pages.
At some cases when configuring Apache HTTPD it is required to have a mixture of both One Way and Two Way Authentication, if that is your case the SSLVerifyClient none is to be used inside the virtual host configuration and then include SSLVerifyClient require to each directory (URL) location that requires a client certificate with mutual auth.
Below is an example VirtualHost configuration as a sample:
The SSLVerifyClient directive from mod_ssl dictates whether a client certificate is required for a given location:
<VirtualHost *:443>
…
SSLVerifyClient none
<Location /whatever_extra_secured_location/dir>
…
SSLVerifyClient require
</Location>
</VirtualHost>
Because earlier in configuration the SSLVerifyClient none is provided, the client will not be doing a Two Way Mutual Authentication for the whole domain but just the selected Location the client certificate will be not requested by the server for a 2 way mutual auth, but only when the client requests the Location setupped resouce a renegotiation will be done and client will be asked to provide certificate for the two way handshake authentication.
Keep in mind that on a busy servers with multitudes of connections this renegotiation might put an extra load on the server and this even can turn into server scaling issue on a high latency networks, because of the multiple client connects. Every new SSL renegotiation is about to assign new session ID and that could have a negative impact on overall performance and could eat you a lot of server memory.
To avoid this often it i suseful to use SSLRenegBufferSize directive which by default is set in Apache 2.2.X to 128 Kilobytes and for multiple connects it might be wise to raise this.
A mutual authentication that is done on a Public Server that is connected to the Internet without any DMZ might be quite dangerous thing as due to to the multiple renegotiations the server might end up easily a victim of Denial of Service (DOS) attack, by multiple connects to the server trying to consume all its memory …
Of course the security is not dependent on how you have done the initial solution design but also on how the Client software that is doing the mutual authentication is written to make the connections to the Web Server.
2. Configure a Mixture of One Way Standard (Basic) SSL Authentication together with Two Way Client Server Handshake SSL Authentication
Below example configuring is instructing Apache Webserver to listen for a mixture of One Way standard Client to browser authentication and once the client browser establishes the session it asks for renegotiation for every location under Main Root / to be be authenticated with a Mutual Two Way Handshake Authentication, then the received connection is proxied by the Reverse Proxy to the end host which is another proxy server listening on the same host on (127.0.0.1 or localhost) on port 8080.
<VirtualHost *:8001>
ServerAdmin name@your-server.com
SSLEngine on
SSLCertificateFile /etc/ssl/server-cert.pem
SSLCertificateKeyFile /etc/ssl/private/server-key.pem
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /home/etc/ssl/cacert.pem
<location />
Order allow,deny
allow from all
SSLRequire (%{SSL_CLIENT_S_DN_CN} eq "clientcn")
</location>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
3. So what other useful options do we have?
Keep Connections Alive
This is a good option but it may consume significant amount of memory. If Apache is using the prefork MPM (as many Webservers still do instead of Apache Threading), keeping all connections alive means multiple live processes. For example, if Apache has to support 1000 concurrent connections, each process consuming 2.7MB, an additional 2700MB should be considered. This may be of lesser significance when using other MPMs. This option will mitigate the problem but will still require SSL renegotiation when the SSL sessions will time out.
Another better approach in terms of security to the mixture of requirement for both One Side Basic SSL Authentication to a Webserver and Mutual Handshake SSL Auth is just to set different Virtualhosts one or more configuration to serve the One Way SSL authentication and others that are configured just to do the Mutual Two Way Handshake SSL to specified Locations.
4. So what if you need to set-up multiple Virtualhosts with SSL authentication on the Same IP address Apache (SNI) ?
For those who did not hear still since some time Apache Web Server has been rewritten to support SNI (Server Name Indication), SNI is really great feature as it can give to the webserver the ability to serve multiple one and two way handshake authentications on the same IP address. For those older people you might remember earlier before SNI was introduced, in order to support a VirtualHost with SSL encryption authentication the administrator had to configure a separate IP address for each SSL certificate on each different domian name.
SNI feature can also be used here with both One Way standard Apache SSL auth or Two Way one the only downside of course is SNI could be a performance bottleneck if improperly scaled. Besides that some older browsers are not supporting SNI at all, so possibly for public services SNI is less recommended but it is better to keep-up to the good old way to have a separate IP address for each :443 set upped VirtualHost.
One more note to make here is SNI works by checking the Host Header send by the Client (browser) request
SSL with Virtual Hosts Using SNI.
SNI (Server Name Indication) is a cool feature. Basically it allows multiple virtual hosts with different configurations to listen to the same port. Each virtual host should specify a unique server name identification using the SeverName directive. When accepting connections, Apache will select a virtual host based on the host header that is part of the request (must be set on both HTTP and SSL levels). You can also set one of the virtual hosts as a default to serve clients that don’t support SNI. You should bear in mind that SNI has different support levels in Java. Java 1.7 was the first version to support SNI and therefore it should be a minimum requirement for Java clients.
5. Overall list of useful Options for Mutual Two Way And Basic SSL authentication
Once again the few SSL options for Apache Mutual Handhake Authentication
SSLVerifyClient -> to enable the two-way SSL authentication
SSLVerifyDepth -> to specify the depth of the check if the certificate has an approved CA
SSLCACertificateFile -> the public key that will be used to decrypt the data recieved
SSLRequire -> Allows only requests that satisfy the expression
Below is another real time example for a VirtualHost Apache configuration configured for a Two Way Handshake Mutual Authentication
For the standard One way Authentication you need the following Apache directives
SSLEngine on -> to enable the single way SSL authentication
SSLCertificateFile -> to specify the public certificate that the WebServer will show to the users
SSLCertificateKeyFIle -> to specify the private key that will be used to encrypt the data sent
6. Configuring Mutual Handshake SSL Authentication on Apache 2.4.x
Below guide is focusing on Apache HTTPD 2.2.x nomatter that it can easily be adopted to work on Apache HTTPD 2.4.x branch, if you're planning to do a 2 way handshake auth on 2.4.x I recommend you check SSL / TLS Apache 2.4.x Strong Encryption howto official Apache documentation page.
In meantime here is one working configuration for SSL Mutual Auth handshake for Apache 2.4.x:
<Directory /some-directory/location/html>
RedirectMatch permanent ^/$ /auth/login.php
Options -Indexes +FollowSymLinks
# Anything which matches a Require rule will let us in
# Make server ask for client certificate, but not insist on it
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +StrictRequire
# Client with appropriate client certificate is OK
<RequireAll>
Require ssl-verify-client
Require expr %{SSL_CLIENT_I_DN_O} eq "Company_O"
</RequireAll>
# Set up basic (username/password) authentication
AuthType Basic
AuthName "Password credentials"
AuthBasicProvider file
AuthUserFile /etc/apache2/htaccess/my.passwd
# User which is acceptable to basic authentication is OK
Require valid-user
# Access from these addresses is OK
Require ip 10.20.0.0/255.255.0.0
Require ip 10.144.100
</Directory>
Finally to make the new configurations working depending you need to restart Apache Webserver depending on your GNU / Linux / BSD or Windows distro use the respective script to do it.
Enjoy!
![this thirt party PAE Externsion Kernel Patch](http://<p> <img alt="Upgrade-Windows-7-Vista-XP-to-Windows-10-upgrade-howto-observations-post-fixes" src="https://www.pc-freak.net/images/Upgrade-Windows-7-Vista-XP-to-Windows-10-upgrade-howto-observations-post-fixes.png" style="width: 500px; height: 361px;" /> </p> <p> However as I've been upgrading my sister's computer previously running Windows 7 to Windows 10 (the process of upgrading is really simple you just <a href="https://www.microsoft.com/software-download/windows10">download </a><strong><a href="https://www.microsoft.com/software-download/windows10">Windows-Media-Creation-tool from Microsoft website </a>and the rest comes to few clicks (Accept Windows 10 User Agreement, Create current install restore point (backup) etc.) and waiting some 30 minutes or so for the upgrade to complete.<br /> <br /> <img alt="windows-7-to-10-windows-setup-upgrade-this-pc-prompt" src="https://www.pc-freak.net/images/windows-7-to-10-windows-setup-upgrade-this-pc-prompt.png" style="width: 500px; height: 393px;" /></strong><br /> <br /> <strong>Then it was up to downloading some other updates on a few times and restarting the computer, each time the upgrades were made and all the computer was ready. I've installed Avira (AntiVirus) as I usually do on new PCs and downloaded a bunch of anti-malware (<em>MalwareBytes / Rfkill / Zemanta</em>) to make sure that the old upgraded WIndows was not already infected before the upgrade and I've found a bunch of malware, that got quickly cleared up.</strong><br /> <br /> Anyways I've tried also another tool called <a href="http://www.reimageplus.com"><strong>ReimagePlus - Online Computer Repair</strong> </a>in <strong>order to check whether there are no some broken WIndows system files after the upgrade </strong><br /> <br /> <img alt="Reimage_Repair-Windows-fix-windows-failing-services-and-broken-windows-installations-clear-up-malware" src="https://www.pc-freak.net/images/Reimage_Repair-Windows-fix-windows-failing-services-and-broken-windows-installations-clear-up-malware.png" style="width: 600px; height: 406px;" /><br /> (here I have to say I've done that besides <em>running in an Administrator command prompt</em> (<strong>cmd.exe</strong>) and running<br /> </p> <blockquote> <strong>sfc /scannow </strong> </blockquote> <p> <br /> <strong>command to check base system files integrity, which luckily showed no problems with the Win base system files.</strong><br /> <br /> <strong>ReimagePlus </strong>however showed some failed services and some failed programs that were previously installed from Windows 7 before the upgrade and even it showed indication for Trojan present on computer but since ReImagePlus is a payed software and I didn't have the money to spend on it, I just proceeded to clean up what was found manually.<br /> <br /> After that the computer ran fine, with the only strange thing that some data was from hard drive was red a bit too frequently, after a short call with a close friend (<strong>Nomen</strong>) - thx man, he suggested that the frequenty hdd usage might be related to <em><strong>Windows Search Indexing service database rebuilt</strong></em> and he adviced me to disable it which I did following <a href="https://www.howtogeek.com/howto/windows-vista/speed-up-or-disable-windows-search-indexing-in-vista/">this article How to speed up Windows by disabling Search Index Service.</a><br /> <br /> <br /> One issue worthy to mention <strong>stumbled upon after the upgrade was problems with Windows Explorer which was frequently crashing and "restarting the Desktop"</strong>, but once, I've enabled all <strong>upgrades from Microsoft and Applied them after some update failures and restarts</strong>, once all was up2date to all latest from Microsoft, Explorer started working normally. </p> <p> In the mean time while Windows Explorer was crashing in order to browse my file system I used the <a href="https://www.winnc.com/download/">good old Win Total Command or Norton Commander for Windows - WinNC (with its most cool bizzarre own File Explorer tool)</a>.<br /> <br /> <img alt="Windows-Total-commander-tool-running-on-MS-Windows-10" src="https://www.pc-freak.net/images/Windows-Total-commander-tool-running-on-MS-Windows-10.png" style="width: 500px; height: 374px;" /><br /> <br /> As I wanted to run a MalwareBytes scan and Antivirus under Windows Safe-Mode, I tried entering it by restarting the Computer and <strong>pressing F8 a number of times before the Windows boot screen but this didn't work </strong>as Safe-Mode boot was changed in Windows 10 to be callable in another way because of <strong>some extra Windows Boot speed up optimizations</strong>, in short<span style="font-size:16px;"><strong> the easiest way I found to enter Windows 10 Safe Mode was to Hit Start Button -> Choose Restart PC and keep pressed SHIFT button simultaneously</strong></span><br /> that calls a menu that gives you some restore options, along with safe mode options for those who want to read more on <a href="http://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10">How to Enter Safe mode (Command Prompt) on Windows 10 - please read this article.</a><br /> <br /> <br /> <br /> <img alt="Windows-10-enable-Safe-Mode-options-screen" src="https://www.pc-freak.net/images/Windows-10-enable-Safe-Mode-options-screen.jpg" style="width: 500px; height: 300px;" /> </p> <p> Once the upgrade was over and all below done unfortunately I've realized her previously installed <em>WIndows 7 is x86 (32 bit) version</em> and the <strong>Acer notebook 5736Z where it is being installed is actually X64 (64 bit), hence I've decided to upgrade my dear sis computer to a 64 Bit Windows 10 and researched online whether, there is some tool that is capable to upgrade WIndows 10 from 32 bit to Windows 10 64 bit just to find out the only option is to either use some program to creaty a backup of files on the PC or to manually copy files to external hard drive and reinstall with a Windows 10 64 bit bootable USB Flash or CD / DVD image, so I took my USB flash and used again Windows Media Creation Tool to burn Windows and re-install with the 64 bit iso.<br /> <br /> If you're wonder about why I choose to re-install finally<em> Win 10 32 bit with Win 64 bit</em>, because you might think performance difference might be not really so dramatic, then I have to say the Acer notebook is equipped with 4 Gigabytes of RAM Memory and Windows 10 32bit (Pro) could recognize a maximum of 3 Gigabytes (2.9 GB if I have to be precise) and 1 Gigabyte of memory stayes totally unusued with <em>Winblows 10 32 bit</em>.<br /> <br /> <em>Well that's all folks, the rest I did was to just boot from the USB drive just burned and re-install WIndows and copy my files from User profile / Downloads / Pictures / Music etc. to the same locations on the new installed Windows 10 professional 64 bit and enjoy the better performance.</em></strong> </p>){kind=link}