Hi Jan,
On Fri, 4 Feb 2000, Jan Meijer wrote:
> For the past days we have tried to get a SSL webserver running that does
> client authentication either by using client certificates or by using the
> username/password combination.
> OK, using the configuration:
> <Directory /usr/local/apache/htdocs/office-ca/secret2/>
> # Allow client certs as alternative to basic auth.
> SSLRequireSSL
> SSLVerifyClient optional
> SSLVerifyDepth 3
> SSLOptions +FakeBasicAuth +StrictRequire
> Jan
I had the same requirements. 've added the +StdEnvVars and +CompatEnvVars to
SSLOptions which makes several envir vars available to cgi's
which can tested for a SSL_CLIENT_DN variable and if not exist, throw a logon
box on the screen (not the standard BasicAuth box) and allow the user to log on.
If the SSL_CLIENT_DN is found, fold the SSL_CLIENT_CERT by stripping the
begin and end certificate lines and remove all newlines. Then you have a string
you can compare against a local database of base64 public certs. If the cert is
not found it can still show a logonbox, allowing an admin user to "activate" the
certificate.
This works but envolves creating a simple logon cgi for your site.
I however experienced the strangest phenomena: in certain browsers the cert thatis
offered differs in the last 4 chars of the base64 block. It stummed me a bit
and I got around it (very ugly) by stripping of the last 5 chars and doing a
compare. Any advice on this issue would be greatly appreciated.
--
Eddie Dunckley - Obsidian Systems, home email (24hr delayed mail checks)
Leave voice messages at +2711-792-6500, http://www.obsidian.co.za/eddie/
Join my mission to create a virtual office -see http://demo.obsidian.co.za
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
