[Freedombox-discuss] authenticating https clients through Monkeysphere

Clint Adams clint at debian.org
Thu Mar 27 16:47:45 UTC 2014 

Someone asked me to explain how to set up your own instance of
Apache using MSVA, so here goes:

0a) Make or co-opt a user to run MSVA on a fixed port.  I was
    doing this with runit, but systemd turns out to be far
    nicer, so there's an example config[0] to use with a
    "wwwmsva" user.

    f.ex.
        sudo adduser wwwmsva
        sudo editor /etc/systemd/wwwmsva.service
        (copy, paste, tweak, and save)
        sudo systemctl enable wwwmsva
        sudo systemctl start wwwmsva

0b) As the aforementioned user, import the key or keys you
    wish to authorize as certifiers and give them "ultimate"
    trust.

    f.ex.
        sudo -u wwwmsva -H gpg --recv-keys FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
        sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
        trust
        5
        y
        quit

1a) Ensure that you have apache2 and libapache2-mod-gnutls installed,
    that they are sufficiently recent (libapache2-mod-gnutls 0.6-1),
    and that mod-gnutls is enabled.

    f.ex.
        sudo apt-get install apache2 libapache2-mod-gnutls
        sudo a2enmod gnutls

1b) Add the following line (or equivalent, if you are using a port
    other than 5000) to /etc/apache2/envvars:

        export MONKEYSPHERE_VALIDATION_AGENT_SOCKET=http://127.0.0.1:5000


1c) Add a virtual host with a config that uses
    "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require".
    Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require"
    for a <Directory> and not the entire vhost seems to lead to a lot
    of TLS rehandshaking and an utter failure to work, so you may want
    to stick to something like this[1] for now.

1d) Generate a self-signed X.509 certificate to be used by the vhost,
    and place it and its corresponding secret key in the places
    designated by the Apache config.

1e) Import this into the Monkeysphere so that your clients can
    authenticate the server.  This is completely unnecessary to
    authenticate the client, so you can skip it if all you want
    to test is that.

    f.ex.
        sudo monkeysphere-host import-key /etc/apache2/certstuff/blah.key https://myfunwebserver.example.org
        sudo monkeysphere-host set-expire 1y
        sudo monkeysphere-host publish-keys
        (manually import, certify with a key that your
        xul-ext-monkeysphere setup will approve, and publish
        to the keyservers)

2) Follow the instructions at demo.monkeysphere.info[2] to unsafely
   get your secret key material into your web browser.

3) Ensure that Apache has been restarted/reloaded with the correct
   configuration.

4) Add a CGI[3] that will give you some insight into what's
   going on, possibly as /usr/lib/cgi-bin/showenv

5) Direct your web browser to the equivalent of
   https://myfunwebserver.example.org/cgi-bin/showenv

6) Observe the values of environment variables
   SSL_CLIENT_S_AN0, SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY
   Note that if you connect with any random client
   cert, you should get SSL_CLIENT_VERIFY=FAILED.

Now here are some problems:
    a) You can't just GnuTLSClientVerify require the
       resources you might want to restrict
    b) There appears to be no way to authorize within
       Apache; mod_rewrite special-cases mod_ssl
       and even if mod_gnutls had ap_expr hooks I
       don't think it would do any good.

If anyone knows how I might be misunderstanding Apache
and there's something like a way to map SSL_CLIENT_S_AN0
values into REMOTE_USER or a way to use this with
mod_authz_core, I'd be delighted to hear about it.

I apologize if I've omitted any steps.

[0] http://bugs.debian.org/742799
[1]
    <IfModule mod_gnutls.c> 
    <VirtualHost _default_:443>
            ServerAdmin webmaster at localhost
            DocumentRoot /var/www/
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory /var/www/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Require all granted
            </Directory>
            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Require all granted
            </Directory>
            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
            GnuTLSEnable On
            GnuTLSCertificateFile   /etc/apache2/certstuff/blah.pem
            GnuTLSKeyFile /etc/apache2/certstuff/blah.key
            GnuTLSPriorities NORMAL:!VERS-SSL3.0
            GnuTLSClientVerifyMethod msva
            GnuTLSClientVerify require
    </VirtualHost> 
    </IfModule>
[2] https://demo.monkeysphere.info/
[3]
    #!/bin/sh
    
    echo "Content-type: text/plain"
    echo
    env

More information about the Freedombox-discuss mailing list