Authenticating users based on S/MIME certificate - modssl

This is a discussion on Authenticating users based on S/MIME certificate - modssl ; Hi. I am an administrator of a user account at an Apache web server. Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Authenticating users based on S/MIME certificate

  1. Authenticating users based on S/MIME certificate

    Hi. I am an administrator of a user account at an Apache web server.
    Currently the server is running Apache 1.3.37. My hosting provider plans
    on switching to new hardware with possibly new software. So I don't know
    if my web server will be run on Apache 1.3.37 or Apache 2.0.

    My goal is to let visitors of my web site authenticate themselves to my
    web server using some certificate, possibly S/MIME certificates.

    Now, my current S/MIME certificate for personal e-mail is approved for
    the following purposes:
    Email Signer Certificate
    Email Recipient Certificate

    Is it possible to have such a certificate authenticate its user towards
    an SSL web server? In any case I want to have a limited crowd of users
    seeing a subdirectory of pages without bothering the user with a user
    name/password dialog. Just their personal certificate lets them see
    pages in a certain subdirectory.

    As I understand the documentation for PHP, there is no means whereby PHP
    can read and interpret an SSL client certificate. Is that correct?

    Gunnar
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  2. Re: Authenticating users based on S/MIME certificate

    Gunnar Vestergaard wrote:

    > My goal is to let visitors of my web site authenticate themselves to
    > my web server using some certificate, possibly S/MIME certificates.


    > As I understand the documentation for PHP, there is no means whereby
    > PHP can read and interpret an SSL client certificate. Is that correct?


    It's possible to configure Apache 2 to add the client certificate to a
    request header. From one of my configuration files:

    RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \
    ^.*(-----BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-----(%0[Dd])?%0[Aa].*%0[Aa]-----END%20\2CERTIFICATE-----(%0[Dd])?%0[Aa]).*$
    RewriteRule ^.*$ - [E=CLIENT_CERT:%1]

    RequestHeader unset L-ClientCert

    RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT

    The certificate is %-encoded to avoid problems with newline characters.
    Presumably PHP can use the string in the header to match the
    certificate against a list of known certificates.

    The certificate digest would be less unwieldy than the entire
    certificate, but mod_ssl would need some simple changes to make the
    digest available and I would be reluctant to use a hosting provider who
    allowed customers to use a modified mod_ssl.


    Dave Sparks

    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


+ Reply to Thread