我只是尝试通过 https 对 SVN 服务器进行 SSL 身份验证。我希望客户端证书允许授权人员检查他们的存储库。
<VirtualHost 37.187.96.147:443>
ServerName toto.com:443
DocumentRoot /var/www/html/
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLStrictSNIVHostCheck on
SSLCertificateFile /etc/ssl/certificate-authority/certs/svn-webserver.crt
SSLCertificateKeyFile /etc/ssl/certificate-authority/private/svn-webserver.key
ErrorLog /var/log/httpd/svn-error_log
CustomLog logs/svn-access "%t %u %{SVN-ACTION}e" env=SVN-ACTION
SSLCACertificateFile /etc/ssl/certificate-authority/certs/ca.crt
SSLVerifyDepth 5
SSLVerifyClient require
SSLVerifyDepth 1
LogLevel debug
<Location /svn/>
DAV svn
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequireSSL
AuthName "Depot SVN namek"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/svn/.fakehttpsauth
Require valid-user
SVNParentPath /var/svn/
SVNListParentPath on
AuthzSVNAccessFile /var/svn/authz
</Location>
</VirtualHost>
但这并不是很有用,因为我的 svn 有这种类型的用户名
/C=xx/ST=xx/L=xx/CN=MyUser
我怎样才能使用 SSLUserName apache 指令仅使用客户端证书 (MyUser) 的 SSL_CLIENT_S_DN_CN 来创建 fakeauth
我得到的是 2.2.15 版本的 apache,所以我无法使用 AuthBasicFake 指令 :/
如果有人能帮助我那就太好了;)。
谢谢大家
答案1
在 .fakehttpsauth 中你需要输入如下内容:
/C=US/ST=CA/O=Doe Inc/CN=John Doe/[email protected]:xxj31ZMTZzkVA
以下是根据您的证书创建此类条目的脚本:
#!/bin/bash
# export the certificates in fake auth format
# see http://serverfault.com/questions/533639/apache-authentication-with-ssl-certificate-and-sslusername
# WF 2016-01-06
fakepass=`openssl passwd -crypt -salt xx password`
for c in *.crt
do
openssl x509 -in $c -text | grep Subject: | gawk -v fakepass=$fakepass '
BEGIN { FS="," }
{
gsub("Subject: ","",$0)
for (i=1;i<=NF;i++) {
f=trim($i)
printf("/%s",f);
}
printf(":%s\n",fakepass);
}
# see https://gist.github.com/andrewrcollins/1592991
function ltrim(s) { sub(/^[ \t\r\n]+/, "", s); return s }
function rtrim(s) { sub(/[ \t\r\n]+$/, "", s); return s }
function trim(s) { return rtrim(ltrim(s)); }
'
done