|
»
»
Authenticating users based on S/MIME certificate
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Authenticating users based on S/MIME certificate
by Gunnar Vestergaard-3
::
Rate this Message:
Hi. I am an administrator of a user account at an Apache web server.
Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my web server will be run on Apache 1.3.37 or Apache 2.0. My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. Now, my current S/MIME certificate for personal e-mail is approved for the following purposes: Email Signer Certificate Email Recipient Certificate Is it possible to have such a certificate authenticate its user towards an SSL web server? In any case I want to have a limited crowd of users seeing a subdirectory of pages without bothering the user with a user name/password dialog. Just their personal certificate lets them see pages in a certain subdirectory. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? Gunnar ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: Authenticating users based on S/MIME certificate
by Dave Sparks-2
::
Rate this Message:
Gunnar Vestergaard wrote:
> My goal is to let visitors of my web site authenticate themselves to > my web server using some certificate, possibly S/MIME certificates. > As I understand the documentation for PHP, there is no means whereby > PHP can read and interpret an SSL client certificate. Is that correct? It's possible to configure Apache 2 to add the client certificate to a request header. From one of my configuration files: RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \ ^.*(-----BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-----(%0[Dd])?%0[Aa].*%0[Aa]-----END%20\2CERTIFICATE-----(%0[Dd])?%0[Aa]).*$ RewriteRule ^.*$ - [E=CLIENT_CERT:%1] RequestHeader unset L-ClientCert RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT The certificate is %-encoded to avoid problems with newline characters. Presumably PHP can use the string in the header to match the certificate against a list of known certificates. The certificate digest would be less unwieldy than the entire certificate, but mod_ssl would need some simple changes to make the digest available and I would be reluctant to use a hosting provider who allowed customers to use a modified mod_ssl. Dave Sparks ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
