I want Caudium to be able to REQUIRE of the clients
(browsers) to present a certificate to the server(caudium).
The server should then verify that the clients certificate
is valid (not to new, to old, the digital signature verifys
and so on) then that access is granted ( think .htaccess)
That would be nice
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The SSL module in pike doesn't "handle" certificates
yet. Getting certificate support in pike is probably the
first step. Once that's done, it would probably be
possible to add certificate handling to an auth module.
Can you provide examples of how this might be used in
an htaccess file? Would the user database have to
keep track of valid certificates?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Pike 7.6 supports client certificate request. Now that that
framework is in place, we can think about adding support for
ssl authentication in caudium.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is actually NOT implimented. Server certificate chaining
is, but that's an entirely different beast. In order to impliment
this functionality, I need to know what the required features
should be, such as:
- do not require client certificates
- require client certificates for all requests
- require client certificates for certain requests
- how to authenticate a certificate as valid? issuer database?
subportion of certificate dn? etc?
- how to hook in to certificate databases to verify user
authenticity?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1. do not require client certificates
well this would be good but I dont think it is top priority
2. require client certificates for all requests
this would be the first to implement, on a port you'd
require a valid client certificate
3. require client certificates for certain requests
well this would also be nice, but again not top priority
4. how to authenticate a certificate as valid? issuer database?
subportion of certificate dn? etc?
standard procedure to validate a certificate is:
* verify the signature made by the CA
* check that time and date of is inbetween "not before" and
"not after"
Validity
Not Before: Aug 7 01:12:56 2000 GMT
Not After : Jan 28 01:12:56 2006 GMT
* check that the certificate is not revoced (in a CRL-file)
also se "man verify" (openssl's steps of verifying a
certificate)
5. how to hook in to certificate databases to verify user
authenticity?
this is accually authorizarion, I know apache simply
recomends .htaccess and uses the DN fo username
see: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9
(I'll be glad to help out more ...)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think the way it would work would be either a) require a certificate or
b) ask for a certificate.
If we get a cert, then it has to be valid and must have a dn match. We
can probably build this as an auth module that fiddles with the ssl
context(s) for the virtual server to get it to ask and check the cert
received. the pike client doesn't do the crl processing, though, so we'd
have to hook into that somehow. maybe the ssl protocol module needs to
have a client_certificate_callback or something.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=65373
Humm... Can you detail more this request ?
/Xavier
Logged In: YES
user_id=165645
I want Caudium to be able to REQUIRE of the clients
(browsers) to present a certificate to the server(caudium).
The server should then verify that the clients certificate
is valid (not to new, to old, the digital signature verifys
and so on) then that access is granted ( think .htaccess)
That would be nice
Logged In: NO
The SSL module in pike doesn't "handle" certificates
yet. Getting certificate support in pike is probably the
first step. Once that's done, it would probably be
possible to add certificate handling to an auth module.
Can you provide examples of how this might be used in
an htaccess file? Would the user database have to
keep track of valid certificates?
Logged In: YES
user_id=65373
Caudium 1.3 now supports chained certificates. I dunno if it
is what you were looking for... ?
/Xavier
Logged In: YES
user_id=272269
Pike 7.6 supports client certificate request. Now that that
framework is in place, we can think about adding support for
ssl authentication in caudium.
Logged In: NO
Can I help in any way ?
//kinneh
Logged In: YES
user_id=65373
Done on Caudium 1.3 CVS. This is has been backported to
Caudium 1.2.30 as well.
Logged In: YES
user_id=272269
This is actually NOT implimented. Server certificate chaining
is, but that's an entirely different beast. In order to impliment
this functionality, I need to know what the required features
should be, such as:
- do not require client certificates
- require client certificates for all requests
- require client certificates for certain requests
- how to authenticate a certificate as valid? issuer database?
subportion of certificate dn? etc?
- how to hook in to certificate databases to verify user
authenticity?
Logged In: YES
user_id=165645
1. do not require client certificates
well this would be good but I dont think it is top priority
2. require client certificates for all requests
this would be the first to implement, on a port you'd
require a valid client certificate
3. require client certificates for certain requests
well this would also be nice, but again not top priority
4. how to authenticate a certificate as valid? issuer database?
subportion of certificate dn? etc?
standard procedure to validate a certificate is:
* verify the signature made by the CA
* check that time and date of is inbetween "not before" and
"not after"
Validity
Not Before: Aug 7 01:12:56 2000 GMT
Not After : Jan 28 01:12:56 2006 GMT
* check that the certificate is not revoced (in a CRL-file)
also se "man verify" (openssl's steps of verifying a
certificate)
5. how to hook in to certificate databases to verify user
authenticity?
this is accually authorizarion, I know apache simply
recomends .htaccess and uses the DN fo username
see: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9
(I'll be glad to help out more ...)
Logged In: YES
user_id=272269
followups:
I think the way it would work would be either a) require a certificate or
b) ask for a certificate.
If we get a cert, then it has to be valid and must have a dn match. We
can probably build this as an auth module that fiddles with the ssl
context(s) for the virtual server to get it to ask and check the cert
received. the pike client doesn't do the crl processing, though, so we'd
have to hook into that somehow. maybe the ssl protocol module needs to
have a client_certificate_callback or something.