Re: AuthBasicProvider ssl-client-cert?

[Dirk-Willem van Gulik <di...@webweaving.org>]

Op 21 jul. 2013, om 20:58 heeft Graham Leggett <mi...@sharp.fm> het volgende geschreven:

> On 17 Jul 2013, at 4:44 PM, Eric Covener <co...@gmail.com> wrote:
> 
>> All of the client-cert-as-basic-auth-substitute mechanisms we have
>> require you to check the dummy password with a "real"
>> authbasicprovider.

That is not quite the case; you can avoid this with Anon and Authoritative; but conceptually that is as 'unclean'.

..
>> I think I need this to deprecate a proprietary module, and I don't
>> want to replace it with a proprietary (albeit simple)
>> AuthBasicProvider.
> 
> +1.
> 
> I would add this to mod_ssl though, rather than trying to make something like mod_auth_basic aware of this.

Agreed - this is something that should sit with mod_ssl - or be a side module to mod_ssl.

Fixing/adding this would probably mean also addressing some of the CA chain lax-ness we currently have  - and have three (four) very distinct chains; one for the server itself & intermediates; one for the proxy and what it wants it accepts and one for the proxy it identifies as; and one for the client and what intermediates it recognises.

That may not be quite backward compatible - but IMHO worth breaking a few configs.

Dw.