CGI client auth by digital certificate

traveler has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: CGI client auth by digital certificate by fglock (Vicar) on Sep 24, 2002 at 20:56 UTC
You can start looking at your environment variables under ssl. Try running this as a secure CGI. It will show you all info it has available: `#!/usr/local/bin/perl print "Content-type: text/html\n\n"; print "<tt>\n"; foreach $key (sort keys(%ENV)) { print "$key = $ENV{$key}<p>"; }` [download]	[reply] [d/l]
Re: CGI client auth by digital certificate by traveler (Parson) on Sep 24, 2002 at 22:06 UTC
Either I was unclear or I am confused. I want to look at the client certificate. Do I need to turn on SSL for that? I'm really just looking to authenticate the client. I found this in Net::SSLeay, but I'm not sure how to use it in a script: `Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0);` [download] I want to check that the cert is good and I want to look at the issuer. Thanks, --traveler	[reply] [d/l]
Re: Re: CGI client auth by digital certificate by mfriedman (Monk) on Sep 24, 2002 at 23:08 UTC
You'll definately need to be in SSL mode in order to check the client cert; I don't believe it would ever be sent to you in regular HTTP mode. I don't know of any way to get the cert information in a CGI. I think you'll probably have to use mod_perl to hook into Apache's authentication handlers.	[reply]
Re: Re: CGI client auth by digital certificate by BigJoe (Curate) on Sep 24, 2002 at 23:52 UTC
I have looked into this too but not very hard. Just enough to hit some dead ends. So if you find something please let me know. A suggestion to look at is StarWars Episode 1 CD. I think they did something like that where they put some sort of cert on a CD and used that to authenticate you to let you into the website to see Episode II previews. This might be a start. --BigJoe Learn patience, you must. Young PerlMonk, craves Not these things. Use the source Luke.	[reply]
Re: CGI client auth by digital certificate by Beatnik (Parson) on Sep 24, 2002 at 21:14 UTC
I recall `$ENV{HTTPS}` is set if you're in SSL mode. I doubt any other things are available thru `%ENV` tho but you might wanna look at mod_perl :) Greetz Beatnik ...Perl is like sex: if you're doing it wrong, there's no fun to it.	[reply] [d/l] [select]
Re: CGI client auth by digital certificate by Fastolfe (Vicar) on Sep 25, 2002 at 17:40 UTC
You'd generally approach this by configuring the web server to do all of the SSL client certificate validation. SSL certificate validation is a function of the SSL session. By the time your CGI script gets the request, you've already negotiated an SSL session. If you want to know the client's distinguished name, this should be available in the `SSL_CLIENT_DN` environment variable. You can then do whatever necessary authorization to permit or deny the user access to functions within your script. If you're wanting to permit access to the script itself, consider doing this in the web server configuration as well. Your script can then work under the assumption that if the script is being called, the user is allowed to do so.	[reply] [d/l]


P is for Practical
	PerlMonks