httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] SSL Client Certificates and CGI
Date Mon, 01 Oct 2012 12:54:25 GMT
On October 1, 2012 5:41 , Tom Browder <tom.browder@gmail.com> wrote:
> On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague <mark@catseye.org> wrote:
>> On September 30, 2012 19:45 , Tom Browder <tom.browder@gmail.com> wrote:
>>> Does anyone have a pointer to help on restricting a directory to
>>> access only with valid SSL Client Certificates and how to work CGI
>>> scripts to respect that restriction?
>> So you are allowing requests for the CGI from any web browser, without a
>> client certificate, but you then want to restrict what the CGI can do when
>> it is running?
>>
>>
>> So, Mark, what about something like this:
>>
>> + if the cgi prog:
>>     - finds the appropriate SSL cert envvar to be defined
>>     - finds that envvar to satisfy apprporiate criteria
>>
>> + then
>>    - run to normal completion
>>
>> + otherwise
>>    - return not authorized


My assumption was that you wanted to allow the CGI to be invoked for 
requests from web browsers that did not present client certificates, but 
then wanted to restrict what the CGI could do.

But if you have SSL related environment variables set, then this means 
that a client certificate was presented.  Instead of changing the CGI to 
check for this, why not change the web server configuration to require 
the certificate in all cases? ("SSLVerifyClient require").  Then the SSL 
environment variables will always be set, and the CGI will never have to 
check them.

If I'm missing what you're actually asking, please provide more details 
about the configuration you currently have -- how have you configured 
SSL client verification, and in what way are you seeing web browsers 
invoke the CGI without presenting a client certificate?

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message