httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Baker" <>
Subject [users@httpd] mod_python, mod_ssl, and custom client cert verification
Date Fri, 16 Jan 2009 02:15:48 GMT
I have a project that's using client certificate verification, and I
want to implement a custom mechanism for verifying certificates. In
particular, I do not care if a certificate traces back to a CA. I want
to evaluate the certificate myself and decide whether or not it is

Right now, I have "SSLVerifyClient optional_no_ca" in my config file.
This causes certificates to be sent by the browser if a certificate is
available. I can access the certificate by looking at
req.ssl_var_lookup("SSL_CLIENT_CERT") from my mod_python handler. I
could return a FORBIDDEN error if I don't like the certificate. So
far, so good.

However, what do I do in the case where the browser has multiple
client certificates? As far as I can tell, the browser (I'm using
mozilla) only sends the first certificate. I can't seem to find a good
way to implement a challenge/response system that would require the
browser to enumerate through the certificates it has until I find one
that is acceptable to me.


View raw message