> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Sonu Kishore
> Sent: 11 September 2002 06:38
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: Re:non-repudiation
> how do i ensure that the certificate user "A" presents, with
> his user id and
> password was issued to him and not to any other user....
>
> it is possible that user "A" logs on to my web site with his
> user id/ password
> but uses user "B" certificate... in such a case
> non-repudiation becomes
> ill-logical.
When the user logs in, check that the userid matches a part of the
certificate eg the CN - if you have
SSLOptions +StdEnvVars
in your httpd.conf, then all the certificate details are available to
your dynamic login page in the ENVironment.
Your login logic can go something like this Perlish pseudo code:
[watch the wrapping]
$dbpasswd = md5($password . "\t" . $user . "\t" . $salt);
$sth = $db->execute("select * from user
where user='$user' and password='$dbpasswd'");
if ( $sth->record_count() == 1 ) {
if ( $ENV{SSL_CLIENT_S_DN_CN} ne $user ) {
goto("/login?error=Certificate: $ENV{SSL_CLIENT_S_DN_CN}
- Invalid, you must use your own certificate to login!");
}
goto("/authenticated")
} else {
goto("/login?error=Invalid User/Password");
}
goto("/login?error=System Error, please contact support");
}
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
