   |
Sat, 15th Nov 2008
I wanted to run some virtualisation software on one of my Debian boxes. We use VMs heavily at work, so I investigated my choices:
I know there’s a few others out there like OpenVZ (open-source Virtuozzo), vserver (which we also use at work), but I settled on VMWare in the end. Familiarity with the desktop product, support of Win on *nix and the fact that the server provider I’m with offer an install image with VMWare on make it a sound choice for me. Wed, 3rd Sep 2008
Nginx is a webserver. It’s tiny, it’s free (and open source, though like I care what license it’s under) and it’s screamingly fast. I do prefer it to Apache, even though there are a few bits it lacks. One thing I found recently was testing client-authentication with the iPhone. See, although nginx supports it, there’s only 2 options: on or off1 Apache has more options - including ‘require’. It seems that the latest stable version of nginx doesn’t require the client to present a certificate - thus the iPhone at least doesn’t bother. So, I dug into the source and knowing some OpenSSL information too, changed: SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback); to SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ngx_http_ssl_verify_callback); In the ‘ngx_event_openssl.c’ file around line 243 - OR’ing in the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, which basically makes the server require the client certificate. Recompile, restart - presto! Nginx makes the iPhone ask for the certificate! 1 The new 0.7 branch has an ‘ask’ option, but I haven’t tried that yet and it probably works as above. Wed, 3rd Sep 2008
Basically, it works. And it works kinda well. I work for a CA. We have some internal systems that authenticate with client certificates over https, and I wanted to get them working on my iPhone. You know, for fun. There’s a thread here on the Apple forums where there’s a few users complaining that certificate-based client authentication doesn’t work - so here’s how I did it.
After I figured this out, I had to find out how to get the certificate onto the phone. The Enterprise Deployment Guide pdf from Apple showed how you could get a tool to do it, or how the phone would download it from a webserver (check your webserver has the right MIME types set for .p12 and .pfx files!) or when emailed. So, I emailed myself a test .p12 and a test .pfx. The formats are similar, PFX being Microsoft’s implementation I got from an XP machine, the .p12 via a cert obtained in Firefox. Tapping the file gets you a nice dialog with an ‘Install’ button, and clicking this asks for the file password. Once it’s installed, the certificate is visible in the ‘General’ settings area. Note that you can import root certs (sans private keys) this way too, to make your own internal CA work. Once you then use Mobile Safari to browse to a site requiring a certificate for authentication, you get a nice dialog telling you - and it works! If you have more than one cert then it’ll even ask which one to use. Nice one Apple. Shame they don’t have the ‘Identity Preferences’ of the Keychain on Leopard where you can pre-assign a cert to a site, but that’s nitpicking. Get the <keygen> tag fixed, and we’re good, Apple. Feel free to use my test site: Visit the HTTP site first to get the root and the test .p12 (both served with the correct MIME type) and then visit the HTTPS site to test. Check my contact details if you want to give/get any feedback.
It works.
Well done Google. After I got over the HYPE MASHEEN it seems you do the right thing. And you use the Windows certificate store too! What about OSX/*nix I wonder… |
