On Mon, Sep 11, 2006 at 10:44:18AM +0200, Jean-Gerard Pailloncy wrote: > Le 11 sept. 06 à 05:57, Michael Fuhr a écrit : > > If such a capability existed then it could arguably be considered > > a flaw in SSL because it would allow a server to impersonate one > > of its clients to another server or to hijack a client's secure > > connection with another server. Secure protocols are designed to > > prevent such attacks. > > The point is to USE AGAIN the authentification done by Apache with > PostgreSQL not DO AGAIN the authentification. To "use again" the client's authentication you'd have to "do again" the authentication. If the PHP script makes an SSL connection to PostgreSQL then that connection is independent of the HTTP client's SSL connection with the web server. If the server in the new connection (PostgreSQL) sends an SSL CertificateRequest message then the client (the PHP script) needs access to a certificate and the corresponding private key to reply with Certificate and CertificateVerify messages. The HTTP client's certificate would be available but that client's private key would not, so the PHP script would have no way to build a valid CertificateVerify message. > Googling around, I found: > mod_auth_krb with "AuthType KerberosV5SaveCredentials" > The auth is done by mod_auth_krb and mod_perl is able to use the same > ticket for PostgreSQL. It is in the doc of PG. You didn't mention Kerberos before; you said you wanted to reuse the client's SSL authentication. Kerberos works differently than SSL; I'd have to research the links you mentioned to see if reusing the client's credientials would indeed be possible using Kerberos. -- Michael Fuhr