by Marc Slemk » Tue, 17 Nov 1998 04:00:00
by Marc Slemk » Wed, 18 Nov 1998 04:00:00
>> >When using basic authentication (mod_auth) and SSL (mod_ssl) together, the
>> >authentication occurs before SSL initializes. Can this be reversed on Apache?
>> >eg. Force SSL to initialize before the authentication so the password is not
>> Erm... I'm not sure what you mean. SSL is a completely different
>> layer and it is setup for the entire TCP connection, including the
>> headers where the authentication information is.
>Okay, let me explain further. On Apache, when you first request a page that
>is secured with SSL and authentication from a page that is insecure, Apache
>chooses to authenticate the user before starting SSL. Therefore, the password
>goes in the clear. I'm trying to force Apache to start SSL and then
>authenticate the user.
If you request a page that isn't secured via SSL and that requires
authentication, then of course it has to be sent unencrypted.
If you do not wish the page that isn't "secured" via SSL to require
authentication, but only wish the page that is requested via SSL
to require authentication, then just configure your server so that
only one of them requires authentication.
by Steve Vertiga » Thu, 19 Nov 1998 04:00:00
I believe you're getting confused by Netscapes behaviour here. NetscapeQuote:>Okay, let me explain further. On Apache, when you first request a page that
>is secured with SSL and authentication from a page that is insecure, Apache
>chooses to authenticate the user before starting SSL. Therefore, the password
>goes in the clear. I'm trying to force Apache to start SSL and then
>authenticate the user.
If you want to make it look secured from the start just use a leadin page on
the SSL server before proceeding to the protected page.
Regards,
--Steve
"His style has been committed to software so you ____________________
don't have to wait the weeks it usually takes ______| Sex Gods Anonymous
him to locate and recognize his keyoard." /Making fine HTML since 1956
Doktor Dynasoar /http://www.sexgods.base.org/
by fiji » Thu, 19 Nov 1998 04:00:00
> >Okay, let me explain further. On Apache, when you first request a page that
> >is secured with SSL and authentication from a page that is insecure, Apache
> >chooses to authenticate the user before starting SSL. Therefore, the password
> >goes in the clear. I'm trying to force Apache to start SSL and then
> >authenticate the user.
> I believe you're getting confused by Netscapes behaviour here. Netscape
> loads a secure page, *then* changes the padlock icon in the toolbar to
> indicate a secure transmission. This is puzzling to the uninformed but rest
> assured that the transmission, including password *is* secure. Try going to
> this url
-Fiji
https://jarrah.inature.com.au/ and you'll notice the icon doesn't
change
Quote:> until after the page has completely loaded, but if you were to connect to a
> url using https without using SSL then the connection would just hang and
> vice versa (I chose that url as it's a machine I setup and it's over a modem
> so it should load slowly enough to observe).
> If you want to make it look secured from the start just use a leadin page on
> the SSL server before proceeding to the protected page.
> Regards,
> --Steve
> "His style has been committed to software so you ____________________
> don't have to wait the weeks it usually takes ______| Sex Gods Anonymous
> him to locate and recognize his keyoard." /Making fine HTML since 1956
> Doktor Dynasoar /http://www.sexgods.base.org/
by Steve Vertiga » Fri, 20 Nov 1998 04:00:00
>nope... if I understand correctly here is the scenario. He has a page
>secured with ssl. The page also has .htaccess file associated with it.
>Now it looks like netscape pops up the username/password box BEFORE ssl
>starts thus the username/password are passwd on in the clear
As I suggested. See below.Quote:>. I may be
>wrong but I think this is the problem the person is having. I don't have
>an answer except to maybe have one page using ssl meta to another page
>using ssl where the .htaccess would apply.
It's irrelevant whether it uses meta tags or normal links however.Quote:>> If you want to make it look secured from the start just use a leadin page on
>> the SSL server before proceeding to the protected page.
Regards,
--Steve
by Barry Margoli » Fri, 20 Nov 1998 04:00:00
The browser starts by connecting to the web server. If the URL is http: it
uses ordinary, unencrypted HTTP. If the URL is https:, it uses HTTP over
SSL, which encrypts everything in the session; the session key is
negotiated automatically when the connection is established.
The browser then sends a "GET <pathname>" command to the server. If it's
an HTTP connection, it's sent in the clear; if it's an SSL connection, it's
encrypted.
If the page requires user authentication, the server responds with an error
code indicating this. The browser pops up a username/password prompt, gets
the info from the user, and then resends the GET command, this time
following it with an Authentication header containing the authentication
information. As above, if the session is over an SSL connection, this will
be encrypted.
As you can see, encryption and basic authentication are completely
independent. Encryption occurs whenever you access an https: URL, and
authentication occurs whenever the server demands it due to the attributes
of the page (e.g. the existence of a .htaccess file).
--
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.
by e.. » Sat, 21 Nov 1998 04:00:00
a) set up a Connection
b) transmit GET /url
c) receive page
b) is not able without a). Since the SSL handshhake takes place in a) it is
not possible to request a https file without establishing SSL. Note: the
password protection will happen after c! (since the page c) will contain an
error that the page is password protected, the brwoser will open up the
password dialog and retry the b) thing with an additional line (holding the
password and username).
Greetings
Bernd
by sPyDeRsNfLiE » Tue, 24 Nov 1998 04:00:00
sPyDeRsNfLiEs
http://www.2600.com/kti/freekev.jpg
Inspiration for freedom
http://www.angelfire.com/nm/DarkCity9/index.html
1. Help: Access server with SSL and Basic Auth
I am trying to write a small C utility to access a specific URL on
a Netscape Commerce server. The page I am attempting to
access is on a server running with SSL and also protected by
Basic authentication. Each time I send an HTTP/1.0 request to this
server I get back Error 401.
The following is a dump of the HTTP interaction between the client
and the server. As you can see I do get back data from the server so
the TCP connection (to port 443 for HTTP over SSL) seems to work, but
the server rejects my KNOWN GOOD (ie works in Netscape 3.0) password.
GET /munifacts.html HTTP/1.0
Authorization: Basic VDc3MzRNMjM6daxlrRiAli=
User-Agent: Lookup/0.1
HTTP/1.0 401 Unauthorized
Server: Netscape-Commerce/1.12
Date: Wednesday, 04-Dec-96 23:00:01 GMT
WWW-authenticate: basic realm="Kamikaze Bunji Jumper"
Content-type: text/html
Content-length: 223
<HTML><HEAD><TITLE>Unauthorized</TITLE></HEAD>
<BODY><H1>Unauthorized</H1>
Proper authorization is required for this area. Either your browser
does not per
form authorization, or your authorization has failed.
</BODY></HTML>
WHAT GIVES??????????!!!!!!!!!!!!!!!!!!!!!!!?????????????????!!!!!!!!!!
This basic exchange is one I know is correct. If you send the same
HTTP request to an Apache 1.0.5 with Basic authentication set up it
honors a proper username/password (No SSL there though)! Is Commerce
server broken or something? I don't understand.
If anyone out there can see anything that I'm doing wrong I would sure
appreciate some help. Thanks in advance.
Tod Harter
Rhombus Communications
2. Solaris 2.3 & The Cache Filing System ( SysAdm Question )
3. SSL and Auth required, prompts for username BEFORE establishing SSL
4. solaris 8 for x86 intall problem !
5. Apache --> Tomcat Auth Basic header forwarding
7. Apache: too many users in one group (Basic auth)
8. Redhat 6.1 install problems, please help
9. Problems w/ Directory Indexing and Basic Auth in apache 2.0
10. apache + php + basic auth => password theft => solutions?
11. Apache & redirect upon basic auth cancel button
12. Can apache send $PASSWORD with basic auth to cgi?
13. Question: Running Apache SSL and Apache non-SSL on one server