frenzypeng / securityswitch

Automatically exported from code.google.com/p/securityswitch
Other
0 stars 0 forks source link

Not able to use SSL Flag: SslRequireCert #45

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.
In the web config file, I have the following:
<location path="login.aspx">
    <system.webServer>
      <security>
        <access sslFlags="SslNegotiateCert,SslRequireCert" />
      </security>
    </system.webServer>
</location>
2.
When a user attempts to go to the non-SSL version (http://) of the url, 
SecuritySwitch does not switch to https://

If you remove the SslRequireCert from web.config, the user will be prompted to 
pick a cert, but can just click Cancel and go to the page, which is not desired.

3.
I don't see any other configuration provided by SecuritySwitch that will allow 
me to require the user to specify a cert when entering a secure page.

----

Please include the securitySwitch configuration section from your
web.config file.

<securitySwitch mode="RemoteOnly" xmlns="http://SecuritySwitch-v4.xsd" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="SecuritySwitch-v4.xsd">
    <paths>
      <add path=login.aspx" security="Secure"/>
    </paths>
  </securitySwitch>

Original issue reported on code.google.com by jlaver...@gmail.com on 24 Apr 2013 at 12:01

GoogleCodeExporter commented 8 years ago
Thanks for taking time to submit. I think we can get this working without a 
need for any code changes in the module.

The system.webServer\security\access@sslFlags attribute only expects 1 value. 
In your case, it appears that IIS is just choosing the first value, 
"SslNegotiateCert". By your description, you want the user to HAVE to pick a 
client cert. If so, change the sslFlags attribute to "SslRequireCert" instead. 
If you want the client cert to be optional, set the attribute to just 
"SslNegotiateCert".

Also, just to rule out any typos, make sure that path you add for the 
securitySwitch section is fully quoted (your pasted config is missing the left 
quote).

So, here is the suggested changes to your config file. Let us know if these 
changes work or not, and we'll take a look further if necessary. Thanks!

<securitySwitch mode="RemoteOnly" xmlns="http://SecuritySwitch-v4.xsd" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="SecuritySwitch-v4.xsd">
    <paths>
        <add path="login.aspx" security="Secure"/>
    </paths>
</securitySwitch>
...
<location path="login.aspx">
    <system.webServer>
        <security>
            <access sslFlags="SslRequireCert" />
        </security>
    </system.webServer>
</location>

Original comment by vent...@gmail.com on 24 Apr 2013 at 6:43

GoogleCodeExporter commented 8 years ago
Thanks for your response.
The missing left quote was a typo on my part.

I changed the config file as you suggested, only having the "SslRequireCert" 
present, and also making sure the <securitySwitch> section was correct, but the 
problem still exists. It wouldn't go to the https version of the url. When a 
user clicks a menu to go to this page, our link is a relative path, ie 
"~/pages/login.aspx", as an FYI. I didn't write down the full directory path in 
my example for brevity.

As a test, I switched the flag to "SslNegotiateCert" and it did pop up the 
dialogue to pick a cert and then continue to the https version of the page, but 
that still leaves the user the ability to cancel and still enter the page.

Original comment by jlaver...@gmail.com on 24 Apr 2013 at 8:16

GoogleCodeExporter commented 8 years ago
Understood. It was worth a shot.

I'll play around with these settings over the weekend and see what I can come 
up with. These types of settings (under webServer) usually take precedence over 
any .NET module code. I'm wondering if IIS is making some weird decision, then 
aborting before the module runs. I'll run some tests.

Thanks again.

Original comment by vent...@gmail.com on 24 Apr 2013 at 9:43

GoogleCodeExporter commented 8 years ago

Original comment by vent...@gmail.com on 24 Aug 2014 at 10:40