You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Thach Tran (JIRA)" <ji...@apache.org> on 2012/11/21 17:53:57 UTC
[jira] [Created] (TS-1584) Exposing client SSL certificate
verification result in plugin API
Thach Tran created TS-1584:
------------------------------
Summary: Exposing client SSL certificate verification result in plugin API
Key: TS-1584
URL: https://issues.apache.org/jira/browse/TS-1584
Project: Traffic Server
Issue Type: Improvement
Components: SSL, TS API
Affects Versions: 3.3.4
Reporter: Thach Tran
Priority: Minor
I'm writing an authentication plugin for traffic server and would like to implement the following logic:
* If the client supplies valid certificate over ssl, allow the transaction to proceed with no further authentication.
* Otherwise challenge the client with username/password authentication.
Currently if I turn on client certificate checking in TS (proxy.config.ssl.client.certification_level > 0), the result of the client certificate verification happens at the SSLNetVConnection level and plugin hooks have no knowledge of this. This makes implementing the aforementioned logic not possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Created] (TS-1584) Exposing client SSL certificate verification result in plugin API
Posted by Igor Galić <i....@brainsware.org>.
+1
"Thach Tran (JIRA)" <ji...@apache.org> wrote:
>Thach Tran created TS-1584:
>------------------------------
>
>Summary: Exposing client SSL certificate verification result in plugin
>API
> Key: TS-1584
> URL: https://issues.apache.org/jira/browse/TS-1584
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL, TS API
> Affects Versions: 3.3.4
> Reporter: Thach Tran
> Priority: Minor
>
>
>I'm writing an authentication plugin for traffic server and would like
>to implement the following logic:
>* If the client supplies valid certificate over ssl, allow the
>transaction to proceed with no further authentication.
>* Otherwise challenge the client with username/password authentication.
>
>Currently if I turn on client certificate checking in TS
>(proxy.config.ssl.client.certification_level > 0), the result of the
>client certificate verification happens at the SSLNetVConnection level
>and plugin hooks have no knowledge of this. This makes implementing the
>aforementioned logic not possible.
>
>--
>This message is automatically generated by JIRA.
>If you think it was sent incorrectly, please contact your JIRA
>administrators
>For more information on JIRA, see:
>http://www.atlassian.com/software/jira
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
[jira] [Commented] (TS-1584) Exposing client SSL certificate
verification result in plugin API
Posted by "Igor Galić (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502288#comment-13502288 ]
Igor Galić commented on TS-1584:
--------------------------------
+1
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> Exposing client SSL certificate verification result in plugin API
> ------------------------------------------------------------------
>
> Key: TS-1584
> URL: https://issues.apache.org/jira/browse/TS-1584
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL, TS API
> Affects Versions: 3.3.4
> Reporter: Thach Tran
> Priority: Minor
> Labels: patch
> Attachments: 0001-Exposing-client-ssl-certificate-verification-result-.patch
>
>
> I'm writing an authentication plugin for traffic server and would like to implement the following logic:
> * If the client supplies valid certificate over ssl, allow the transaction to proceed with no further authentication.
> * Otherwise challenge the client with username/password authentication.
> Currently if I turn on client certificate checking in TS (proxy.config.ssl.client.certification_level > 0), the result of the client certificate verification happens at the SSLNetVConnection level and plugin hooks have no knowledge of this. This makes implementing the aforementioned logic not possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate
verification result in plugin API
Posted by "James Peach (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502566#comment-13502566 ]
James Peach commented on TS-1584:
---------------------------------
I took a quick look and I'm generally positive. The main comment I have is that there is a lot more interesting SSL session information to expose, so we should think harder about making a more general API that can expose additional information as we want it.
> Exposing client SSL certificate verification result in plugin API
> ------------------------------------------------------------------
>
> Key: TS-1584
> URL: https://issues.apache.org/jira/browse/TS-1584
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL, TS API
> Affects Versions: 3.3.4
> Reporter: Thach Tran
> Priority: Minor
> Labels: patch
> Attachments: 0001-Exposing-client-ssl-certificate-verification-result-.patch
>
>
> I'm writing an authentication plugin for traffic server and would like to implement the following logic:
> * If the client supplies valid certificate over ssl, allow the transaction to proceed with no further authentication.
> * Otherwise challenge the client with username/password authentication.
> Currently if I turn on client certificate checking in TS (proxy.config.ssl.client.certification_level > 0), the result of the client certificate verification happens at the SSLNetVConnection level and plugin hooks have no knowledge of this. This makes implementing the aforementioned logic not possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-1584) Exposing client SSL certificate
verification result in plugin API
Posted by "Thach Tran (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thach Tran updated TS-1584:
---------------------------
Attachment: 0001-Exposing-client-ssl-certificate-verification-result-.patch
I included a unittest for the new function in the API but it's rather useless in which it's only test the case of plain non-ssl client connection.
> Exposing client SSL certificate verification result in plugin API
> ------------------------------------------------------------------
>
> Key: TS-1584
> URL: https://issues.apache.org/jira/browse/TS-1584
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL, TS API
> Affects Versions: 3.3.4
> Reporter: Thach Tran
> Priority: Minor
> Labels: patch
> Attachments: 0001-Exposing-client-ssl-certificate-verification-result-.patch
>
>
> I'm writing an authentication plugin for traffic server and would like to implement the following logic:
> * If the client supplies valid certificate over ssl, allow the transaction to proceed with no further authentication.
> * Otherwise challenge the client with username/password authentication.
> Currently if I turn on client certificate checking in TS (proxy.config.ssl.client.certification_level > 0), the result of the client certificate verification happens at the SSLNetVConnection level and plugin hooks have no knowledge of this. This makes implementing the aforementioned logic not possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira