[users@httpd] mod_ssl env var to uniquely identify client certificate (sha1 fingerprint ?)

[Thomas Fazekas <th...@gmail.com>]

Right off the bat, I want to point out that this is NOT a bug report but
rather a feature request/proposal (I don't know whether this is allowed or
not ... my apologies if it isn't)

In a nutshell what I would like to have is in the SSL environment variables
a new variable that uniquely identifies the client certificate (certificate
sha1 fingerprint maybe ?).

Imagine a (corporate internal) service that does mTLS user authentication.
Now (I presume
for financial reasons) the company created its own CA and issued thousands
of certificates.
I can of course add the internal CA to my known CAs list, and I can check
of course the SSL_CLIENT_S_DN_CN name, but I cannot guarantee that the CA
plays nice (meaning that they might actually create certificates with the
same DN or the same SN ... it actually happened).
Now, I already have a small subset of certificates in an LDAP, so what I
would like to do is to authorize access based on certificate fingerprint.
If I would have the (sha1 ...) fingerprint in a environment variable (let
us say SSL_CLIENT_CERT_SHA1) I could do something like :

SSLUserName SSL_CLIENT_CERT_SHA1
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldaphost/ou=accounts,dc=test,dc=com?uid"

Where of course the ldap uids would be the fingerprints.

I hope this would make sense to more people...

Rgards