httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: mod_ssl custom authentication hook
Date Wed, 09 Apr 2003 14:26:34 GMT
Kris Verbeeck wrote:
> 
> Hello,
> 
> We are trying to do custom ssl certificate checking, in stead of using the
> standard callback.  We have introduced an optional function
> (custom_ssl_verify), and a new nVerifyClient type (SSL_CVERIFY_CUSTOM).  If
> that verify type is set, and there is an implementation of 
> custom_ssl_verify,
> we set that as verify callback using modssl_set_verify().  However, we are
> experiencing some odd behaviour:
> 
> For each request, our callback is called 3 times.  This is not really an
> issue, because we do caching, but it makes us wonder if we're doing
> something wrong.  Of more concern is the fact, that though we set
> SSL_VERIFY_CLIENT_ONCE in the verify options, for every request
> (every image, etc on the page), the server re-requests client 
> authentication.
> This is obvious from what we see in ssldump output.  Everytime the user
> must retype his passphrase for their client certificate's private key 
> (if he
> has set one of course).  The standard code path (SSL_CVERIFY_REQUIRE) only
> seems to request client auth once.
> 
> Is there anything we're missing?

Are you somehow preventing session reuse in your version?

Looking at this has made me think of something else, though: really, 
verification ought to _always_ be done by a hook, and that hook should 
be supplied by an appropriate module - the standard one doing the 
verification we know and love, of course.

Fixing that may make it clearer what your problem is, of course. I'll 
think about how to do it.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


Mime
View raw message