httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [users@httpd] Requiring specific SSL certs for HTTP Auth logins
Date Wed, 15 Sep 2004 16:15:55 GMT
On Wed, Sep 15, 2004 at 11:54:36AM -0400, Scott Gifford wrote:
> I'm using HTTP client certificate authentication in conjunction with
> HTTP Auth (well, a mod_perl extension which emulates HTTP Auth using
> cookies).  I'd like to require that the Common Name field of the
> certificate match the HTTP username of the user logging in.  Is there
> a way to do this?
> 
> I see how to have the certificate override the username and then
> provide per-certificate passwords, but the usernames are passed to an
> underlying authentication system, so that won't really work.

If you used real HTTP auth you could just do something like

  SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}

but using cookies it's more tricky.  An SSLRequire matching with a regex
match against the appropriate cookie header might work, otherwise
something more complicated using mod_rewrite (which can access SSL
variables directly in 2.0.51, using the %{SSL:SSL_CLIENT_S_DN_CN}
syntax).

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslrequire

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message