Require client certificates for https access?

dzenc · 29 September 2022 02:16

Hi -

I like that there is a config option to require public-key authentication for SSH access, thus enforcing strong authentication. Thank you for that. I want to accomplish similar for the management https server by requiring client certificates (signed by my CA) in order to successfully connect to the management interface. I’ve succeeded in doing this by adding 3 lines to /etc/httpd/conf/ssl-global.conf, but I fear my changes won’t survive a core update. Is there a better way to do this? or at least a way that will likely survive a core update?

Thanks
-Dan

bonnietwin · 29 September 2022 07:36

I suspect the files in the /etc/httpd/conf/ directory are not ones likely to be modified by a Core Update but it can’t be guaranteed.

What you can do as a safety step is to add
etc/httpd/conf/ssl-global.conf
to the
/var/ipfire/backup/include.user
file.
This will ensure that your changes are included in the backup done by IPFire before it runs the Core Update. Note that the leading / is removed from the definitions put into include.user

After a Core Update is run you can then either first check that everything still works as you want or you could just as standard download the backup file made by IPFire and then restore from it.

cfusco · 29 September 2022 08:43

@dzenc This is a very cool approach you have thought. May I ask if you can post these three lines?

cfusco · 29 September 2022 08:44

@bonnietwin Adolf, do you think a restore operation can be scripted, so that it happens automatically after a new version of IPFire is installed?

bbitsch · 29 September 2022 09:03

@dzenc , @bonnietwin :
I don’t think this solution is working in all cases.
What about corrections/enhancements included in a CU? They are deleted by the restore.

Therefore I think we should discuss a general modification for this. Either in the development list or as a feature request in Bugzilla, or both.

dzenc · 29 September 2022 09:08

    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLCACertificateFile /var/ipfire/ca/cacert.pem

I did this globally in /etc/httpd/conf/ssl-global.conf. Client certificates need to be signed by the cert file listed above. (You should be able to increase SSLVerifyDepth if you use intermediate certificates.)

dzenc · 29 September 2022 09:08

Thanks. I can do that.

cfusco · 29 September 2022 12:18

@bonnietwin Never mind, documented here.

dzenc · 29 September 2022 15:55

To follow up for anyone trying to replicate this, I tested by upgrading from 168 to 170 (without adding anything to the backup config) and noticed that it re-installed a clean ssl-global.conf after the upgrade. Instead of backing it up and restoring it, I added a patch to rc.local, and force a reboot if it applies, like so: (not the most efficient, but it seems to work)

reboot=0
{ patch --forward -u /etc/httpd/conf/ssl-global.conf && reboot=1; } << ‘END’
…patch…
END

if [ $reboot -eq 1 ]; then
echo reboot=$reboot
/sbin/reboot
fi

dzenc · 30 September 2022 06:50

Thanks. I filed it in bugzilla - 12942 – Feature Request: Implement option to require client certificates for management HTTPS access

xperimental · 30 September 2022 07:58

There must be a WUI implementation for managing the certs.