Difference between revisions of "OpenID-eID"
| Line 60: | Line 60: | ||
SSLForceValidation on |
SSLForceValidation on |
||
* [http://issues.apache.org/bugzilla/show_bug.cgi?id=35083 Certificate validation problems trapping] |
* [http://issues.apache.org/bugzilla/show_bug.cgi?id=35083 Certificate validation problems trapping] |
||
| + | Enable ssl_error_module: |
||
| ⚫ | |||
| + | LoadModule ssl_error_module modules/mod_ssl_error.so |
||
| ⚫ | |||
| + | <IfModule mod_ssl_error.c> |
||
SSL_Error_DefaultURL "/error/invalid.html" |
SSL_Error_DefaultURL "/error/invalid.html" |
||
SSL_Error_URL 23 "/error/revoked.html" |
SSL_Error_URL 23 "/error/revoked.html" |
||
SSL_Error_URL 10 "/error/expired.html" |
SSL_Error_URL 10 "/error/expired.html" |
||
| + | </IfModule> |
||
| + | cf doc... |
||
===Hacking [http://siege.org/projects/phpMyID/ phpMyID]=== |
===Hacking [http://siege.org/projects/phpMyID/ phpMyID]=== |
||
Revision as of 22:28, 19 February 2008
Here are my attempts to create an OpenID provider based on the Belgian eID
Install packages
Let's get apache2, php5 and openssl stuff:
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert
Setup apache server with SSL
Create self-signed certificate
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:
openssl req -days 1024 ...
Verify generated certificate
openssl x509 -text -in /etc/apache2/ssl/apache.pem
Start from ssl example config
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \ > /etc/apache2/sites-available/default-ssl
Activates ssl module
a2enmod ssl
Activates ssl virtualhost
a2ensite default-ssl
Edit /etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/apache2/ssl/apache.pem #SSLCertificateKeyFile not required as apache.pem contains also the key
And the usual stuff
DocumentRoot "/var/www" ServerName ... ServerAdmin ... ErrorLog /var/log/apache2/error.log TransferLog /var/log/apache2/access.log
To activate only the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol -ALL +SSLv3 +TLSv1
Adding Belgian Government Root certificates
You can extract the Belgium Root CA and the Citizen CA from your eID:
pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt
Then add client certificate requirements to /etc/apache2/sites-available/default-ssl
SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
# accept only certificates emitted by Citizen CA:
SSLRequire %{SSL_CLIENT_I_DN_C} eq "BE" \
and %{SSL_CLIENT_I_DN_CN} in {"Citizen CA"}
</Location>
According to the doc, because of a bug in Internet Explorer, you also need to add GlobalSign Root certificate...
Retrieving citizens' certificate information
The REMOTE_USER header can be used.
To set it to the user's distinguish name:
SSLUserName SSL_CLIENT_S_DN
Or the user's national number:
SSLUserName SSL_CLIENT_S_DN_serialNumber
TODO: cf apache SSL reverse proxy proposed by the government
Add to /etc/apache2/sites-available/default-ssl:
SSLUseOCSP on SSLForceValidation on
Enable ssl_error_module:
LoadModule ssl_error_module modules/mod_ssl_error.so
And add to /etc/apache2/sites-available/default-ssl:
<IfModule mod_ssl_error.c> SSL_Error_DefaultURL "/error/invalid.html" SSL_Error_URL 23 "/error/revoked.html" SSL_Error_URL 10 "/error/expired.html" </IfModule>
cf doc...
Hacking phpMyID
Details on the patch
- remove HTTP Digest for the authorization step
- redirect authorization to HTTPS as we'll deal with SSL client certificates