Recently, I've been dealing with getting DCE working under Apache-SSL.
This isn't that difficult, we already have an in-house Apache DCE module.
However, part of my requirements for getting this working was that *NO* DCE
passwords would pass over the network in plaintext. So, naturally, the other
alternative is to force SSL.
While I realize that there is an SSLRequireSSL directive, that didn't
suit my needs, because the user must invoke it as part of .htaccess, or it
must be defined in the server. If I were to define it in the server, ALL of
the server would have to be SSL *all* the time, which is an unnecessary
load on our server.
I would like an SSLRequireSSLForAuth directive that would force all
password protected areas to be forbidden to an http:// connection.
A brief explaination of the following patch. Our DCE module is accessed
by setting AuthName to "dce". This is _very_ site specific, but gives a good
idea of what must be done.
Basically, it doesn't offer a 401 Auth Required to DCE-protected areas,
instead it uses a 403 Forbidden error. There is an explaination in our
ErrorDocument 403 regarding this. For all other AuthName, it returns a 401.
-Jeff
*** http_protocol.old.c Fri Aug 14 15:56:35 1998
--- http_protocol.c Fri Aug 14 11:03:21 1998
***************
*** 930,936 ****
--- 930,949 ----
}
if (!auth_line) {
+ #ifndef _NO_SSL_AUTH_HACK_
+ if( strcasecmp( ap_auth_name(r), "dce" ) == 0 &&
!r->connection->client->ssl)
+ {
+ ap_log_reason("SSL required for DCE
Authentication",r->filename,r);
+ return FORBIDDEN;
+ }
+ else
+ {
+ ap_note_basic_auth_failure(r);
+ return AUTH_REQUIRED;
+ }
+ #else
ap_note_basic_auth_failure(r);
+ #endif /* _NO_SSL_AUTH_HACK_ */
return AUTH_REQUIRED;
}
--
Jeffrey Mahoney
System Programmer
Information Systems and Computing
Rochester Institute of Technology
Rochester NY
Ph: 716-475-2258