mod_python, mod_ssl, and custom client cert verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: mod_python, mod_ssl, and custom client cert verification
From: "Scott Baker" <smbaker@xxxxxxxxx>
Date: Thu, 15 Jan 2009 18:15:48 -0800
Reply-to: users@xxxxxxxxxxxxxxxx

I have a project that's using client certificate verification, and I
want to implement a custom mechanism for verifying certificates. In
particular, I do not care if a certificate traces back to a CA. I want
to evaluate the certificate myself and decide whether or not it is
acceptable.

Right now, I have "SSLVerifyClient optional_no_ca" in my config file.
This causes certificates to be sent by the browser if a certificate is
available. I can access the certificate by looking at
req.ssl_var_lookup("SSL_CLIENT_CERT") from my mod_python handler. I
could return a FORBIDDEN error if I don't like the certificate. So
far, so good.

However, what do I do in the case where the browser has multiple
client certificates? As far as I can tell, the browser (I'm using
mozilla) only sends the first certificate. I can't seem to find a good
way to implement a challenge/response system that would require the
browser to enumerate through the certificates it has until I find one
that is acceptable to me.

Thanks,
Scott

Prev by Date: Re: Satisfy any & Basic authorization
Next by Date: RE: A question about webdav
Previous by thread: Question about configuring multiple authz modules
Next by thread: SSI and date in french
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]