Hi,
I'm working in the following environment:
Apache 2.4.48
mod_wsgi 3.4
Python 3.7+
Flask 2.0.1
cryptography (pyca) 3.4.7
Amazon Linux 2
I'm also using a self-signed Root CA internally to the organization on both the
clients and server.
The clients are mobile and their IP addresses are not significant, so I'm not
using SAN w/ IP address in the client certs.
I'd like to have the server verify that the client has presented a cert, that
the cert ladders up to our enterprise Root CA, that it's not revoked on the
OCSP server embedded in the issuer cert(s) AIA, etc.
But I'd also like to have access inside the server script to the client
certificate itself, so I can do further access checking on the certificate
itself (i.e. CN, the UID, membership in an explicit group or whitelist, etc.).
Some of my ssl.conf looks like:
WSGIScriptAlias /enroll /var/www/scripts/enroll.wsgi
<Directory enroll>
WSGIProgressGroup enroll
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
SSLOptions +StdEnvVars
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
Not sure I need the +FakeBasicAuth ... seems superfluous, but I copy & pasted
that from an article I googled.
It seems that a lot of this happens on the server itself and not inside the
scripting, and it verifies a lot based on the server (some servers perform more
checking, others less, etc).
Is there a FAQ or Best Practices document describing all of this, soup-to-nuts?
Thanks,
-Philip
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
