You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Ke...@uktransco.com on 2001/03/13 12:00:55 UTC
[OT] Client Certificate Authentification module?
I am looking for a module that will allow me to use Client
Certificates to authenticate the users. I am pretty sure I have come
accros this before, but I cannot find it anywhere. Anybody know where
I can find this.
I have seached CPAN for 'cert', 'authen' and 'client', but unless I
am overlooking something there doesn't seem to be anything there.
Thank you very much.
Kees Vonk
Mailing Code 3
Joule 1 - Ground Floor
Wharf Lane
Solihull
Internal:
Phone:
7249 27705
E-Mail:
Kees Vonk/KV002/Solihull/Transco
Home Page:
https://rep1prod:8081/
External:
Phone:
0121 - 705 7581 ext. 27705
E-Mail:
Kees.Vonk@uktransco.com
______________________________________________________________________
The views expressed in this email are not necessarily the views of
Transco plc, and the company, its directors, officers or employees
make no representation or accept any liability for its accuracy or
completeness unless expressly stated to the contrary.
This e-mail, and any attachments are strictly confidential and
intended for the addressee(s) only. The content may also contain
legal, professional or other privileged information. If you are not
the intended recipient, could you please notify the sender
immediately and then delete the e-mail and any attachments, you
should not disclose, copy or take any action in reliance of this
transmission. Unless expressly stated to the contrary, no contracts
may be concluded on behalf of Transco plc by means of e-mail
communication.
You may report the matter by calling us on +44 (0)1455 230999.
You should not copy, forward or otherwise disclose the contents of
this e-mail or any of its attachments without express consent.
Please ensure you have adequate virus protection before you open or
detach any documents from this transmission. Transco plc does not
accept any liability for viruses.
Transco plc is part of Lattice Group
Transco plc is registered in England: Company number: 2006000
Registered Office: 130 Jermyn Street, London, SW1Y 4UR
http://www.transco.uk.com
Re: [OT] Client Certificate Authentification module?
Posted by Adam Worrall <Ad...@ft.com>.
>>>>> "KV" == Kees Vonk <Ke...@uktransco.com> writes:
KV> I am looking for a module that will allow me to use Client
KV> Certificates to authenticate the users. I am pretty sure I have
KV> come accros this before, but I cannot find it anywhere. Anybody
KV> know where I can find this.
This is an apache / mod_ssl configuration issue:
<http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6>
I'm not aware of any mod_perl API into the SSL stuff.
I've got live configuration of a setup that uses this stuff, so mail me
if you get stuck ...
- Adam
Re: [OT] Client Certificate Authentification module?
Posted by Gunther Birznieks <gu...@extropia.com>.
If you download our Perl objects @
http://www.extropia.com/development/webware2/webware2.html, I have an
AuthManager::Certificate which implements client certificate authentication.
Probably the best place to download the code for that is on the
extropiaperl project at sourceforge if you want to see the implementation.
It's actually "trivial" because mod_ssl will decode the certificate into
extra environment variables indicating stuff like the DN of the user. It's
a requirement of SSL to make sure the certificate is valid based on the
certificate's signature(s). At that point, then you need to deal with
certificate revocation which is another matter. A lot of servers back up
certificate authentication with LDAP.
So the client sends the cert which verifies that they are who they say they
are, but LDAP needs to be used to actually get the relevant authorization
information out. If you use the framework we have, that is accomplished by
configuring the use of AuthManager::Certificate against Auth::LDAP.
Auth::Cache::Session can optionally be used to speed up the process.
Chapter 20 on the link I gave you has details on why we broke up the
modules the way we did.
Note that this is not to be confused with a handler. This is application
level logic. mod_ssl already handles certificate decoding so you really
don't need a handler anymore. At that point it seems like app logic to take
the user and figure out what you want them to do.
Of course, you can code authorization info into a cert like the roles that
they are intended for. But I think that's IMHO, a really BAD way to do it
because you have to revoke the cert to change the permissions of the user.
Best to leave the cert to identify the user and allow a dynamic datastore
to determine what they can do in most cases.
Later,
Gunther
PS The hard part about client certificates isn't using them, its managing
them and the customers that use them.
At 11:00 AM 3/13/01 +0000, Kees.Vonk@uktransco.com wrote:
>I am looking for a module that will allow me to use Client
>Certificates to authenticate the users. I am pretty sure I have come
>accros this before, but I cannot find it anywhere. Anybody know where
>I can find this.
>
>I have seached CPAN for 'cert', 'authen' and 'client', but unless I
>am overlooking something there doesn't seem to be anything there.
>
>Thank you very much.
>
>Kees Vonk
>
>Mailing Code 3
>Joule 1 - Ground Floor
>Wharf Lane
>Solihull
>
>
>
>Internal:
>Phone:
>7249 27705
>
>
>E-Mail:
>Kees Vonk/KV002/Solihull/Transco
>
>
>Home Page:
>
>https://rep1prod:8081/
>
>
>
>
>External:
>Phone:
>0121 - 705 7581 ext. 27705
>
>
>E-Mail:
>Kees.Vonk@uktransco.com
>
>
>
>
>
>______________________________________________________________________
>
>The views expressed in this email are not necessarily the views of
>Transco plc, and the company, its directors, officers or employees
>make no representation or accept any liability for its accuracy or
>completeness unless expressly stated to the contrary.
>
>This e-mail, and any attachments are strictly confidential and
>intended for the addressee(s) only. The content may also contain
>legal, professional or other privileged information. If you are not
>the intended recipient, could you please notify the sender
>immediately and then delete the e-mail and any attachments, you
>should not disclose, copy or take any action in reliance of this
>transmission. Unless expressly stated to the contrary, no contracts
>may be concluded on behalf of Transco plc by means of e-mail
>communication.
>
>You may report the matter by calling us on +44 (0)1455 230999.
>
>You should not copy, forward or otherwise disclose the contents of
>this e-mail or any of its attachments without express consent.
>
>Please ensure you have adequate virus protection before you open or
>detach any documents from this transmission. Transco plc does not
>accept any liability for viruses.
>
>Transco plc is part of Lattice Group
>Transco plc is registered in England: Company number: 2006000
>Registered Office: 130 Jermyn Street, London, SW1Y 4UR
>http://www.transco.uk.com
__________________________________________________
Gunther Birznieks (gunther.birznieks@extropia.com)
eXtropia - The Web Technology Company
http://www.extropia.com/
Re: [OT] Client Certificate Authentification module?
Posted by Matt Sergeant <ma...@sergeant.org>.
On Tue, 13 Mar 2001, Kees.Vonk@uktransco.com wrote:
> I am looking for a module that will allow me to use Client
> Certificates to authenticate the users. I am pretty sure I have come
> accros this before, but I cannot find it anywhere. Anybody know where
> I can find this.
>
> I have seached CPAN for 'cert', 'authen' and 'client', but unless I
> am overlooking something there doesn't seem to be anything there.
>
> Thank you very much.
http://take23.org/articles/2001/03/12/redirect.xml
Might give you some clues...
Also, you might want to trim your disclaimer and sig on mailing list
posts - you had 9 lines of email and 70 lines of sig and disclaimer!
--
<Matt/>
/|| ** Founder and CTO ** ** http://axkit.com/ **
//|| ** AxKit.com Ltd ** ** XML Application Serving **
// || ** http://axkit.org ** ** XSLT, XPathScript, XSP **
// \\| // ** mod_perl news and resources: http://take23.org **
\\//
//\\
// \\