I'm using your Crypt::SSLeay, and I'm very happy this works. Thank you very much for this!!
We have this intraweb-server that requires the clients to be authenticated with the means of client certificates. These client certificates are distributed to the users in PKCS12 keybags. Each bag contains the user's private key, the user's cert, the web-server cert and the CA's cert.
1) Is the PEM pass phrase password dialogue (when $ENV{HTTPS_KEY_FILE} is used) safe? Is it stored in any enviromentvariable which make it unsafe?
I have been testing Crypt::SSLeay with PKCS12 files mentioned abover, but it doesnt seem to work unless you specify the $ENV{HTTPS_PKCS12_PASSWORD}. No password input dialogue is show. Nor do I want to create my own password input routine, and store it in this environment variable because of the security issues involved.
2) Are there any chances that this could be extracted to a password input, similar to the one used if $ENV{HTTPS_KEY_FILE} is used, please?
3) When using the PKCS12 file, are there any possibilites to verify the attached CA cert? Because it seems like it ignores the other certs included in the PKCS12 file.
PKCS12 files simplifies things for the users, as they only have to worry about one file, not three (key, user cert and CA cert).
I am aware that the PCKS12 is alpha, but I just wanted to give you guys some feedback and tips. Please keep up the good work!
Regards, Svein
