Apache + mod_kssl Test Page

Starting the servers (as root):

To start (foreground debug):
src/httpd -DSSL -X -f /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/conf/httpd.conf
To start (normal mode):
/usr/local/apache/bin/apachectl startssl
To stop:
/usr/local/apache/bin/apachectl stop
To re-read configs: kill -HUP `cat /usr/local/apache/logs/httpd.pid`

Test Pages and Expected Results
Access/Server 8080 8443 Restrictions

Wide Open OK OK none

Any SSL Access Fail OK SSL encryption required

Any Kerberos Access Fail OK Kerberized client required (lynx or openssl s_client)

Kerberos Realm Access Fail OK Kerberos Realm = CSIT.FSU.EDU

Kerberos User Access Fail OK Kerberos Realm = CSIT.FSU.EDU & User = gateway0

Kerberos Principal Access Fail OK Kerberos Principal = gateway0@CSIT.FSU.EDU

Kerberos Principal Access Fail Fail Kerberos Principal = blofeles@S.P.E.C.T.R.E

Test Pages and Expected Results
Access/Server	8080	8443	Restrictions
Wide Open	OK	OK	none
Any SSL Access	Fail	OK	SSL encryption required
Any Kerberos Access	Fail	OK	Kerberized client required (lynx or openssl s_client)
Kerberos Realm Access	Fail	OK	Kerberos Realm = CSIT.FSU.EDU
Kerberos User Access	Fail	OK	Kerberos Realm = CSIT.FSU.EDU & User = gateway0
Kerberos Principal Access	Fail	OK	Kerberos Principal = gateway0@CSIT.FSU.EDU
Kerberos Principal Access	Fail	Fail	Kerberos Principal = blofeles@S.P.E.C.T.R.E

Software versions:

Apache 1.3.12
mod_ssl 2.6.5-1.3.12 (Good Docs)
OpenSSL 0.9.5a
See Also:
- Apache/(mod_)Perl page and the mod_perl source.
- Netscape Certificate Specifications
- Apache-SSL(alt version)
- Secure Sockets Layer (SSL v2/v3) Netscape Docs
- Transport Layer Security (TLS v1) Docs

Notable /usr/local/apache/conf/httpd.conf directives:

##
## httpd.conf -- kssl Apache HTTP server test configuration file
##

ServerType standalone
ServerRoot /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web
DocumentRoot /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/htdocs
User nobody
Group nogroup

Port 8080
<IfDefine SSL>
Listen 8080
Listen 8443
</IfDefine>

#	NOTE WELL: 
#		In these test pages, the Kerberized VirtualHost's 
#		DocumentRoot is located below the regular web server's
#		DocumentRoot.  I don't think this is a good practice.
#		The following directive is all that prevents access to
#		the "kerberized" web pages through the regular port 8080
#		web server.  In a production environment it would be 
#		much safer to locate the Kerberos DocumentRoot outside of
#		any non-Kerberized DocumentRoot.  In any event, you should
#		test your configuration using a non-kerberized web client
#		to verify your access restrictions.
#
<Location /any_ssl/>
	SSLRequireSSL
</Location>

<IfModule mod_ssl.c>

SSLLog      /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/logs/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>

<VirtualHost _default_:8443>

DocumentRoot /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/htdocs
ErrorLog /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/logs/error_log

<Files ~ "\.status$">
	SetHandler  kssl-status-handler
</Files>

<Location /open/>
</Location>

<Location /any_ssl/>
	SSLRequireSSL
</Location>

<Location /any_ssl/any_krb5/>
	SSLRequireSSL
	SSLCipherSuite KRB5-DES-CBC3-MD5
	#  or  SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP-KRB5|KRB5)-/	)
</Location>

<Location /any_ssl/any_krb5/krb5_realm/>
	KRB5Realm		CSIT.FSU.EDU
</Location>

<Location /any_ssl/any_krb5/krb5_princ/>
	KRB5Principal	gateway0@CSIT.FSU.EDU
</Location>
<Location /any_ssl/any_krb5/krb5_princ/bad/>
	KRB5Principal	blofeles@S.P.E.C.T.R.E
</Location>

<Location /any_ssl/any_krb5/krb5_user/>
	KRB5Realm		CSIT.FSU.EDU
	KRB5User		gateway0
</Location>

SSLEngine on

SSLCertificateFile /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/conf/ssl.crt/server.crt
SSLCertificateKeyFile /a/birch.csit.fsu.edu/shared/home/cyoun/GATEWAY/apache-kssl/kssl.web/conf/ssl.key/server.key

</VirtualHost>                                  

</IfDefine>