Also make sure to have these settings in your virtualhost
SSLEngine On
SSLOptions +stdEnvVars
To verify the variables are being passed properly look at {{=request.env}}
in a view and look for SSL variables.
On Wednesday, March 11, 2015 at 8:22:15 AM UTC-4, LoveWeb2py wrote:
>
> Thank you so much for posting and for x509 auth. I got it working. For
> anyone who finds this. If you're using apache you need to change line 33 in
> x509_auth.py from self.ssl_client_raw_cert =
> self.request.env.ssl_client_cert
>
> It's the same cert that gets decoded by X509.FORMAT_PEM, but I suspect the
> ssl_client_raw_cert variable was for NGINX?
>
> Anyways, thank you so much again. The SSLVerifyClient require and
> SSLVerifyDepth were also a help.
>
> Could you tell me how it works on the backend? How will it create user
> accounts etc... Some of our users don't have e-mail in their certs so I
> have that commented out temporarily while I figure something out.
>
> On Wednesday, March 11, 2015 at 8:05:48 AM UTC-4, mcm wrote:
>>
>> I am glad someone is using x509 Auth, it is a very simple way to handle
>> user security,
>>
>> One important piece of the puzzle (with apache) is:
>>
>> SSLVerifyClient optional
>>
>> The optional allows one to accept any user on the website, while having
>> some web2py actions require a valid user certificate
>> just by adding the standard @auth.requires_login()
>>
>> ## Client Authentication (Type):
>> # Client certificate verification type and depth. Types are none,
>> optional,
>> # require and optional_no_ca. Depth is a number which specifies
>> how deeply
>> # to verify the certificate issuer chain before deciding the
>> certificate is
>> # not valid.
>> #SSLVerifyClient require
>> #SSLVerifyDepth 10
>>
>>
>> 2015-03-11 12:27 GMT+01:00 LoveWeb2py <[email protected]>:
>>
>>> Those are exactly the two I don't have so far from the list I saw in
>>> another post I have:
>>>
>>> SSL_CIPHER, SSL_CLIENT_I_DN, SSL_CLIENT_CERT, SSL_CLIENT_VERIFY
>>>
>>> The following are not being passed (probably a problem with my ssl.conf:
>>> SSL_CLIENT_RAW_CERT, SSL_SESSION_ID, SSL_CLIENT_SERIAL
>>>
>>> Almost there! :) I'll post the fix when I find it
>>>
>>>
>>> On Tuesday, March 10, 2015 at 7:56:45 PM UTC-4, Niphlod wrote:
>>>>
>>>> debug it, debug it, debug it.
>>>>
>>>> AFAICS, x509_auth.py requires:
>>>>
>>>> ssl_client_raw_cert
>>>> optional ssl_client_serial
>>>>
>>>> On Wednesday, March 11, 2015 at 12:04:51 AM UTC+1, LoveWeb2py wrote:
>>>>>
>>>>> so I did {{=request.env}} and I can see the SSL DATA certificate in
>>>>> another app, but for some reason the app that requires the data isn't
>>>>> being
>>>>> passed. Going to keep troubleshooting that app because I really want to
>>>>> use
>>>>> the x509 authentication with web2py!!
>>>>>
>>>>> for some reason the x509 auth isn't working still. Going to keep
>>>>> pressing and will post a fix when I find it. Thank you so much for your
>>>>> help Niphlod. I hope this helps others in the future!
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, March 10, 2015 at 6:40:29 PM UTC-4, Niphlod wrote:
>>>>>>
>>>>>> what if you return somewhere this dict (takes the "SSL*" env
>>>>>> variables and prints it)
>>>>>>
>>>>>> def yourcode():
>>>>>> .........
>>>>>> debug_values = {}
>>>>>> for k, v in request.env.iteritems():
>>>>>> if k.lower().startswith('ssl'):
>>>>>> debug_values[k] = v
>>>>>> .........
>>>>>> return dict(........., debug_values=debug_values)
>>>>>>
>>>>>> just to see if those gets indeed passed along.
>>>>>>
>>>>>> --
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "web2py-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
