On October 1, 2012 5:41 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague <mark@xxxxxxxxxxx> wrote:On September 30, 2012 19:45 , Tom Browder <tom.browder@xxxxxxxxx> wrote:Does anyone have a pointer to help on restricting a directory to access only with valid SSL Client Certificates and how to work CGI scripts to respect that restriction?So you are allowing requests for the CGI from any web browser, without a client certificate, but you then want to restrict what the CGI can do when it is running? So, Mark, what about something like this: + if the cgi prog: - finds the appropriate SSL cert envvar to be defined - finds that envvar to satisfy apprporiate criteria + then - run to normal completion + otherwise - return not authorized
My assumption was that you wanted to allow the CGI to be invoked for requests from web browsers that did not present client certificates, but then wanted to restrict what the CGI could do.
But if you have SSL related environment variables set, then this means that a client certificate was presented. Instead of changing the CGI to check for this, why not change the web server configuration to require the certificate in all cases? ("SSLVerifyClient require"). Then the SSL environment variables will always be set, and the CGI will never have to check them.
If I'm missing what you're actually asking, please provide more details about the configuration you currently have -- how have you configured SSL client verification, and in what way are you seeing web browsers invoke the CGI without presenting a client certificate?
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|