#1 SSL Client certificate support

Caudium_Core
open
Bill welliver
Caudium (9)
5
2004-08-24
2001-03-04
No

Request: Add support for SSL client certificates

Reference: www.modssl.org (implements SSL for apache)

I have some knowlege about this but not engouh in reference to caudium.

Discussion

  • Logged In: YES
    user_id=65373

    Humm... Can you detail more this request ?

    /Xavier

     
    • milestone: --> Caudium_Core
     
    • labels: --> Caudium
     
  • Logged In: YES
    user_id=165645

    I want Caudium to be able to REQUIRE of the clients
    (browsers) to present a certificate to the server(caudium).
    The server should then verify that the clients certificate
    is valid (not to new, to old, the digital signature verifys
    and so on) then that access is granted ( think .htaccess)

    That would be nice

     
  • Logged In: NO

    The SSL module in pike doesn't "handle" certificates
    yet. Getting certificate support in pike is probably the
    first step. Once that's done, it would probably be
    possible to add certificate handling to an auth module.

    Can you provide examples of how this might be used in
    an htaccess file? Would the user database have to
    keep track of valid certificates?

     
  • Logged In: YES
    user_id=65373

    Caudium 1.3 now supports chained certificates. I dunno if it
    is what you were looking for... ?

    /Xavier

     
  • Bill welliver
    Bill welliver
    2004-06-25

    Logged In: YES
    user_id=272269

    Pike 7.6 supports client certificate request. Now that that
    framework is in place, we can think about adding support for
    ssl authentication in caudium.

     
  • Bill welliver
    Bill welliver
    2004-06-25

    • assigned_to: nobody --> hww3
     
  • Logged In: NO

    Can I help in any way ?

    //kinneh

     
    • status: open --> closed
     
  • Logged In: YES
    user_id=65373

    Done on Caudium 1.3 CVS. This is has been backported to
    Caudium 1.2.30 as well.

     
  • Bill welliver
    Bill welliver
    2004-08-24

    Logged In: YES
    user_id=272269

    This is actually NOT implimented. Server certificate chaining
    is, but that's an entirely different beast. In order to impliment
    this functionality, I need to know what the required features
    should be, such as:

    - do not require client certificates
    - require client certificates for all requests
    - require client certificates for certain requests

    - how to authenticate a certificate as valid? issuer database?
    subportion of certificate dn? etc?

    - how to hook in to certificate databases to verify user
    authenticity?

     
  • Bill welliver
    Bill welliver
    2004-08-24

    • summary: SSL WITH client certificates --> SSL Client certificate support
    • status: closed --> open
     
  • Logged In: YES
    user_id=165645

    1. do not require client certificates
    well this would be good but I dont think it is top priority

    2. require client certificates for all requests
    this would be the first to implement, on a port you'd
    require a valid client certificate

    3. require client certificates for certain requests
    well this would also be nice, but again not top priority

    4. how to authenticate a certificate as valid? issuer database?
    subportion of certificate dn? etc?
    standard procedure to validate a certificate is:
    * verify the signature made by the CA
    * check that time and date of is inbetween "not before" and
    "not after"
    Validity
    Not Before: Aug 7 01:12:56 2000 GMT
    Not After : Jan 28 01:12:56 2006 GMT
    * check that the certificate is not revoced (in a CRL-file)
    also se "man verify" (openssl's steps of verifying a
    certificate)

    5. how to hook in to certificate databases to verify user
    authenticity?
    this is accually authorizarion, I know apache simply
    recomends .htaccess and uses the DN fo username
    see: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

    (I'll be glad to help out more ...)

     
  • Bill welliver
    Bill welliver
    2004-08-26

    Logged In: YES
    user_id=272269

    followups:

    I think the way it would work would be either a) require a certificate or
    b) ask for a certificate.

    If we get a cert, then it has to be valid and must have a dn match. We
    can probably build this as an auth module that fiddles with the ssl
    context(s) for the virtual server to get it to ask and check the cert
    received. the pike client doesn't do the crl processing, though, so we'd
    have to hook into that somehow. maybe the ssl protocol module needs to
    have a client_certificate_callback or something.