Re: [OpenXPKI-users] Retrieve TLS unique value from an incoming EST request

Wed, 13 Dec 2023 01:54:59 -0800 

hi Mohamed,
we made the same observation and were not able to get this via the Apache/FCGI integration so it is simply not supported in the EST wrapper shipped with the community edition. Anyway if you find a suitable way to extract this, I am happy to add it to the code so it can be used :) 

best regards

Oliver

On 13.12.23 10:22, Mo Be wrote:

Hello,

The TLS unique value is no longer available in TLS 1.3 version.
I don't know if the RFC 7030 will bring some update on it.

Anayway, back to TLS 1.2 version, where this value is available.

I would like to implement the recommendation of the RFC 7030 section 
3.5 <https://datatracker.ietf.org/doc/html/rfc7030#section-3.5>, which 
consists in proving that the client that signed the CSR is the same 
client that has established TLS communication with OpenXPKI server.


I have an EST Golang client that is able to retrieve it.

I have a static challenge password defined in EST server (OpenXPKI EST 
realm yaml file)
I'm sending a CSR with the same challenge password that I defined in 
OpenXPKI, and it works.


[What I want]

I would like to use the same approach as in authentication : NoAuth 
handler that is consuming Apache environment variable to retrieve 
information such as the username (http basic auth).

Basically,


1- the challenge password would be retrieved from the incoming EST 
enroll request,
2- OpenXPKI consumes that TLS unique value from the incoming request 
and assigns it to the EST challenge password field that is defined in 
EST yaml file
3- The OpenXPKI defined workflow remains the same : compare challenge 
password in the CSR to the challenge password in the EST yaml file 
(assigned dynamically, at runtime)



I haven't seen much about how this TLS value can be retrieved from 
Apache, perhaps this something OpenXPKI community has already solved.
Or perhaps, there is a better approach other than consuming it from 
Apache environment.


Thanks,
Mohamed



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to