You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2013/09/08 15:46:03 UTC
Re: AuthBasicProvider ssl-client-cert?
Op 21 jul. 2013, om 20:58 heeft Graham Leggett <mi...@sharp.fm> het volgende geschreven:
> On 17 Jul 2013, at 4:44 PM, Eric Covener <co...@gmail.com> wrote:
>
>> All of the client-cert-as-basic-auth-substitute mechanisms we have
>> require you to check the dummy password with a "real"
>> authbasicprovider.
That is not quite the case; you can avoid this with Anon and Authoritative; but conceptually that is as 'unclean'.
..
>> I think I need this to deprecate a proprietary module, and I don't
>> want to replace it with a proprietary (albeit simple)
>> AuthBasicProvider.
>
> +1.
>
> I would add this to mod_ssl though, rather than trying to make something like mod_auth_basic aware of this.
Agreed - this is something that should sit with mod_ssl - or be a side module to mod_ssl.
Fixing/adding this would probably mean also addressing some of the CA chain lax-ness we currently have - and have three (four) very distinct chains; one for the server itself & intermediates; one for the proxy and what it wants it accepts and one for the proxy it identifies as; and one for the client and what intermediates it recognises.
That may not be quite backward compatible - but IMHO worth breaking a few configs.
Dw.