Difference between revisions of "OpenID-eID"

From YobiWiki
Jump to navigation Jump to search
m
m
Line 1: Line 1:
 
Here are my attempts to create an [[OpenID]] provider based on the [[Belgian eID]]
 
Here are my attempts to create an [[OpenID]] provider based on the [[Belgian eID]]
   
  +
===Install packages===
 
Let's get apache2, php5 and openssl stuff:
 
Let's get apache2, php5 and openssl stuff:
 
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert
 
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert
  +
  +
===Setup apache server with SSL===
  +
Create self-signed certificate
  +
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
  +
Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:
  +
openssl req -days 1024 ...
  +
Verify generated certificate
  +
openssl x509 -text -in /etc/apache2/ssl/apache.pem
  +
Start from ssl example config
  +
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  +
> /etc/apache2/sites-available/default-ssl
  +
Activates ssl module
  +
a2enmod ssl
  +
Activates ssl virtualhost
  +
a2ensite default-ssl
  +
Edit /etc/apache2/sites-available/default-ssl
  +
...
  +
To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:
  +
SSLCipherSuite HIGH:MEDIUM:!ADH
  +
SSLProtocol -ALL +SSLv3 +TLSv1
  +
   
 
Details on apache2 config...
 
Details on apache2 config...

Revision as of 21:34, 19 February 2008

Here are my attempts to create an OpenID provider based on the Belgian eID

Install packages

Let's get apache2, php5 and openssl stuff:

apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert

Setup apache server with SSL

Create self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...

Verify generated certificate

openssl x509 -text -in /etc/apache2/ssl/apache.pem

Start from ssl example config

zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  > /etc/apache2/sites-available/default-ssl

Activates ssl module

a2enmod ssl

Activates ssl virtualhost

a2ensite default-ssl

Edit /etc/apache2/sites-available/default-ssl

...

To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol -ALL +SSLv3 +TLSv1


Details on apache2 config...

  • requires client certificate
  • import Belgium Root CA for validation of the client certificates

TODO: cf apache proxy proposed by the government:

Hacking phpMyID

Details on the patch

  • remove HTTP Digest for the authorization step
  • redirect authorization to HTTPS as we'll deal with SSL client certificates