mod_tcpcrypt for Apache
This module exposes the tcpcrypt session ID of the current Apache HTTP connection to scripts and Web apps running on Apache.
TCP_CRYPT_SESSID environment variable contains the tcpcrypt session ID
if a tcpcrypt connection was established; otherwise, the env var is unset. For
example, a PHP script can access the tcpcrypt session ID as
If both ends of a tcpcrypt connection see the same session ID, then an attacker cannot eavesdrop on or undetectably tamper with traffic--i.e., there has not been a man-in-the-middle attack. Also, session IDs are (with overwhelming probability) unique over all time, even if one end of a connection is malicious. Thus tcpcrypt session IDs can be used to mutually authenticate a connection and all of the data passed over it. See section 4 of the tcpcrypt paper for more info on using tcpcrypt session IDs for authentication.
The tcpcrypt team is currently working on more examples of using tcpcrypt for HTTP authentication. Subscribe to tcpcrypt-dev to follow our progress or contribute.
You'll need Apache 2.2 and apxs2, the Apache tool for installing modules. On
Ubuntu and Debian,
apt-get install apache2-dev should suffice.
Set the Makefile's
TCPCRYPT variable to the path containing the tcpcrypt
code. Build tcpcrypt's
(see instructions for tcpcrypt).
Now, from this
mod_tcpcrypt directory, run
make install as root to build
and install the module.
mod_tcpcrypt adds the
TCP_CRYPT_SESSID env var to every
request. This will change soon, but for now, no configuration is needed other
than installing the module.
IPv6 note: Tcpcrypt doesn't really work with IPv6 (yet). If Apache is
listening on an IPv6 address (check
netstat for "tcp6"), mod_tcpcrypt will
probably work for IPv4 clients (who will appear to Apache as having
IPv4-compatible IPv6 addresses). If you're having problems and don't actually
care about IPv6, then change all of your Apache config Listen directives to
specify an IPv4 address (e.g.,
Listen 80 -> Listen 0.0.0.0:80`).
Accessing TCP_CRYPT_SESSID in scripts/Web apps
The sockopt is just exposed as a normal environment variable. Here are a few language-specific examples.
import osand then
This module has only been tested on Linux (Debian Squeeze amd64). Currently not recommended for production use.
For more info about how to use tcpcrypt session IDs to authenticate connections, see section 4 of the tcpcrypt paper.