Right off the bat, I want to point out that this is NOT a bug report but rather a feature request/proposal (I don't know whether this is allowed or not ... my apologies if it isn't)
In a nutshell what I would like to have is in the SSL environment variables a new variable that uniquely identifies the client certificate (certificate sha1 fingerprint maybe ?).
Imagine a (corporate internal) service that does mTLS user authentication. Now (I presume
for financial reasons) the company created its own CA and issued thousands of certificates.
I can of course add the internal CA to my known CAs list, and I can check of course the SSL_CLIENT_S_DN_CN name, but I cannot guarantee that the CA plays nice (meaning that they might actually create certificates with the same DN or the same SN ... it actually happened).
Now, I already have a small subset of certificates in an LDAP, so what I would like to do is to authorize access based on certificate fingerprint.
If I would have the (sha1 ...) fingerprint in a environment variable (let us say SSL_CLIENT_CERT_SHA1) I could do something like :
SSLUserName SSL_CLIENT_CERT_SHA1
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldaphost/ou=accounts,dc=test,dc=com?uid"
Where of course the ldap uids would be the fingerprints.
I hope this would make sense to more people...
Rgards
