Thanks for pointing this out. Documentation seems to be sparse, but it
looks like it may be possible for us to use this by requiring clients to
have been signed by a trusted CA (basically, the server's CA), and
adding SSLOption +CompatEnvVars in order to obtain the client's CN (and
thus differentiate clients). I'll play with it a bit.
On Wed, Oct 30, 2002 at 07:56:12AM -0500, Justin R. Miller wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Said Andres Salomon on Wed, Oct 30, 2002 at 02:23:57AM -0500:
The idea is to identify where a request came from; the cert only
verifies the server, not the client. Also, the cert is generally
self-signed, so I have no reason to trust it. I was thinking openssl
signing, not gnupg.
Actually the certificate support that is in there is client and server
certificates, i.e. the *client* has to have the right certificate in
order to get interact with the server's certificate. This is an
alternative to HTTP(S) Basic or Digest username and password
authentication. In Edd's documentation for the *client* methods, just
after the setCredentials method (i.e. username/password auth), there is
a section for the setCertificate method. The functionality is described
in the 'HTTPS' section for the cURL docs at:
http://curl.haxx.se/docs/readme.curl.html
Furthermore, here's a post from this list ;-)
http://www.mail-archive.com/phpxmlrpc@usefulinc.com/msg00069.html
Most people don't use this feature of HTTPS, but the idea is that *both*
the client and server share 'halves' of a private certificate (the
client's being PEM-formatted), and the client is not allowed to
establish a connection without the proper certificate. Companies will
occasionally use this, for example installing a client certificate on
the workstations and then having them connect to the server via HTTPS.
The user does not need to worry about authentication, as the browsers
and server take care of this via the private certificates.
However, I'm not sure that the clients can all have different
certificates, or if they all share the same file. You would have to
look into the spec for HTTPS if this was a concern.
(Hi Justin! Did you hear about our gig thanksgiving weekend yet?)
Yep :-) We'll have to carry this further off-list though ;-)
- --
[!] Justin R. Miller [EMAIL PROTECTED]
Encrypted email preferred (key 0xC9C40C31)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE9v9bs94d6K8nEDDERAmRLAJ4ovxP6K2Jyd0N5w6l3+0RLhr6fHQCeO9V3
gsr79b8MSt9yh6YyqHPGwVI=
=8YWA
-END PGP SIGNATURE-
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
phpxmlrpc-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/phpxmlrpc-devel
--
It's not denial. I'm just selective about the reality I accept.
-- Bill Watterson
___
phpxmlrpc mailing list
[EMAIL PROTECTED]
http://lists.usefulinc.com/cgi-bin/mailman/listinfo/phpxmlrpc