Hi,
I'm working in the following environment:
Apache 2.4.48
mod_wsgi 3.4
Python 3.7+
Flask 2.0.1
cryptography (pyca) 3.4.7
Amazon Linux 2
I'm also using a self-signed Root CA internally to the organization on both the clients and server.
The clients are mobile and their IP addresses are not significant, so I'm not using SAN w/ IP address in the client certs.
I'd like to have the server verify that the client has presented a cert, that the cert ladders up to our enterprise Root CA, that it's not revoked on the OCSP server embedded in the issuer cert(s) AIA, etc.
But I'd also like to have access inside the server script to the client certificate itself, so I can do further access checking on the certificate itself (i.e. CN, the UID, membership in an explicit group or whitelist, etc.).
Some of my ssl.conf looks like:
WSGIScriptAlias /enroll /var/www/scripts/enroll.wsgi
<Directory enroll>
WSGIProgressGroup enroll
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
SSLOptions +StdEnvVars
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
Not sure I need the +FakeBasicAuth ... seems superfluous, but I copy & pasted that from an article I googled.
It seems that a lot of this happens on the server itself and not inside the scripting, and it verifies a lot based on the server (some servers perform more checking, others less, etc).
Is there a FAQ or Best Practices document describing all of this, soup-to-nuts?
Thanks,
-Philip
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|