You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2009/11/09 20:06:04 UTC
Identifying Clients via SSL Certificates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I've been playing around with client SSL certificates, not for
authentication per se, but as a gateway to a relaxed authentication
mechanism for one of our webapps.
I have a client SSL cert working (see my previous thread "mod_jk &
Client SSL Certificates") and successfully verifying the signature of
the client cert by the server.
I'd like to be able to uniquely identify the client certificate being
used to authenticate via SSL, but I'm a newbie at this sort of thing and
I'd appreciate some suggestions as to how to do that. A few ideas I've
had are:
1. Use a directory-style 'CN' attribute like "UID=myuniqueid"
2. Use the fingerprint of the client certificate
3. Use the full text of the client certificate
All 3 of the above can be used to then link to appropriate records in
the database for limited authentication.
Does anyone have any suggestions or preferred techniques?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
=gPOY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Identifying Clients via SSL Certificates
Posted by Nilesh Patil <ni...@gmail.com>.
Hi..
Form Last few days Even I am also working on SSL Implementation.
I am Using Jboss 5.1.0 GA.
I had implemented server certificate but i dont knwo how to implement
Client / Server Mutual Authentication.
Do U work On that part ? can u help me .?
another Issue I have is I can access my application from server but if i
access the same application from Client Machine I am getting following
exception
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: }
Thanks an advance..
Please Replay....
On Tue, Nov 10, 2009 at 3:59 AM, Jorge Medina <jm...@e-dialog.com> wrote:
>
> OpenSSL hashes the subject name.
> " This is used in OpenSSL to form an index to allow certificates in a
> directory to be looked up by subject name. "
> but that seems weak.
>
>
> http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#
>
>
>
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Monday, November 09, 2009 2:06 PM
> To: Tomcat Users List
> Subject: Identifying Clients via SSL Certificates
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> I've been playing around with client SSL certificates, not for
> authentication per se, but as a gateway to a relaxed authentication
> mechanism for one of our webapps.
>
> I have a client SSL cert working (see my previous thread "mod_jk & Client
> SSL Certificates") and successfully verifying the signature of the client
> cert by the server.
>
> I'd like to be able to uniquely identify the client certificate being used
> to authenticate via SSL, but I'm a newbie at this sort of thing and I'd
> appreciate some suggestions as to how to do that. A few ideas I've had are:
>
> 1. Use a directory-style 'CN' attribute like "UID=myuniqueid"
>
> 2. Use the fingerprint of the client certificate
>
> 3. Use the full text of the client certificate
>
> All 3 of the above can be used to then link to appropriate records in the
> database for limited authentication.
>
> Does anyone have any suggestions or preferred techniques?
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
> lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
> =gPOY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Identifying Clients via SSL Certificates
Posted by Jorge Medina <jm...@e-dialog.com>.
OpenSSL hashes the subject name.
" This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name. "
but that seems weak.
http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Monday, November 09, 2009 2:06 PM
To: Tomcat Users List
Subject: Identifying Clients via SSL Certificates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I've been playing around with client SSL certificates, not for authentication per se, but as a gateway to a relaxed authentication mechanism for one of our webapps.
I have a client SSL cert working (see my previous thread "mod_jk & Client SSL Certificates") and successfully verifying the signature of the client cert by the server.
I'd like to be able to uniquely identify the client certificate being used to authenticate via SSL, but I'm a newbie at this sort of thing and I'd appreciate some suggestions as to how to do that. A few ideas I've had are:
1. Use a directory-style 'CN' attribute like "UID=myuniqueid"
2. Use the fingerprint of the client certificate
3. Use the full text of the client certificate
All 3 of the above can be used to then link to appropriate records in the database for limited authentication.
Does anyone have any suggestions or preferred techniques?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
=gPOY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org