OpenID-eID: Difference between revisions
Jump to navigation
Jump to search
Content deleted Content added
mNo edit summary |
mNo edit summary |
||
| Line 1: | Line 1: | ||
Here are my attempts to create an [[OpenID]] provider based on the [[Belgian eID]] |
Here are my attempts to create an [[OpenID]] provider based on the [[Belgian eID]] |
||
===Install packages=== |
|||
Let's get apache2, php5 and openssl stuff: |
Let's get apache2, php5 and openssl stuff: |
||
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert |
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert |
||
===Setup apache server with SSL=== |
|||
Create self-signed certificate |
|||
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem |
|||
Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g: |
|||
openssl req -days 1024 ... |
|||
Verify generated certificate |
|||
openssl x509 -text -in /etc/apache2/ssl/apache.pem |
|||
Start from ssl example config |
|||
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \ |
|||
> /etc/apache2/sites-available/default-ssl |
|||
Activates ssl module |
|||
a2enmod ssl |
|||
Activates ssl virtualhost |
|||
a2ensite default-ssl |
|||
Edit /etc/apache2/sites-available/default-ssl |
|||
... |
|||
To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines: |
|||
SSLCipherSuite HIGH:MEDIUM:!ADH |
|||
SSLProtocol -ALL +SSLv3 +TLSv1 |
|||
Details on apache2 config... |
Details on apache2 config... |
||
Revision as of 20:34, 19 February 2008
Here are my attempts to create an OpenID provider based on the Belgian eID
Install packages
Let's get apache2, php5 and openssl stuff:
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert
Setup apache server with SSL
Create self-signed certificate
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:
openssl req -days 1024 ...
Verify generated certificate
openssl x509 -text -in /etc/apache2/ssl/apache.pem
Start from ssl example config
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \ > /etc/apache2/sites-available/default-ssl
Activates ssl module
a2enmod ssl
Activates ssl virtualhost
a2ensite default-ssl
Edit /etc/apache2/sites-available/default-ssl
...
To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:
SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol -ALL +SSLv3 +TLSv1
Details on apache2 config...
- requires client certificate
- import Belgium Root CA for validation of the client certificates
TODO: cf apache proxy proposed by the government:
Hacking phpMyID
Details on the patch
- remove HTTP Digest for the authorization step
- redirect authorization to HTTPS as we'll deal with SSL client certificates