Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.

CGI client auth by digital certificate

by traveler (Parson)
on Sep 24, 2002 at 20:14 UTC ( [id://200475]=perlquestion: print w/replies, xml ) Need Help??

traveler has asked for the wisdom of the Perl Monks concerning the following question:

I've tried searching this site and others with no luck. What I want to do is have a CGI program authenticate a user by verifying a digital certificate. I'm using Apache under Linux. I know how to authenticate the user to access a page, but I want the perl CGI script to verify the user, too. Actually, the script just needs to verify that the cert is valid and came from our CA. Is there a way to do this?


Replies are listed 'Best First'.
Re: CGI client auth by digital certificate
by fglock (Vicar) on Sep 24, 2002 at 20:56 UTC

    You can start looking at your environment variables under ssl. Try running this as a secure CGI. It will show you all info it has available:

    #!/usr/local/bin/perl print "Content-type: text/html\n\n"; print "<tt>\n"; foreach $key (sort keys(%ENV)) { print "$key = $ENV{$key}<p>"; }
Re: CGI client auth by digital certificate
by traveler (Parson) on Sep 24, 2002 at 22:06 UTC
    Either I was unclear or I am confused. I want to look at the client certificate. Do I need to turn on SSL for that? I'm really just looking to authenticate the client. I found this in Net::SSLeay, but I'm not sure how to use it in a script:
    Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0);
    I want to check that the cert is good and I want to look at the issuer.

    Thanks, --traveler

      You'll definately need to be in SSL mode in order to check the client cert; I don't believe it would ever be sent to you in regular HTTP mode.

      I don't know of any way to get the cert information in a CGI. I think you'll probably have to use mod_perl to hook into Apache's authentication handlers.

      I have looked into this too but not very hard. Just enough to hit some dead ends. So if you find something please let me know. A suggestion to look at is StarWars Episode 1 CD. I think they did something like that where they put some sort of cert on a CD and used that to authenticate you to let you into the website to see Episode II previews. This might be a start.


      Learn patience, you must.
      Young PerlMonk, craves Not these things.
      Use the source Luke.
Re: CGI client auth by digital certificate
by Beatnik (Parson) on Sep 24, 2002 at 21:14 UTC
    I recall $ENV{HTTPS} is set if you're in SSL mode. I doubt any other things are available thru %ENV tho but you might wanna look at mod_perl :)

    ...Perl is like sex: if you're doing it wrong, there's no fun to it.
Re: CGI client auth by digital certificate
by Fastolfe (Vicar) on Sep 25, 2002 at 17:40 UTC
    You'd generally approach this by configuring the web server to do all of the SSL client certificate validation. SSL certificate validation is a function of the SSL session. By the time your CGI script gets the request, you've already negotiated an SSL session. If you want to know the client's distinguished name, this should be available in the SSL_CLIENT_DN environment variable. You can then do whatever necessary authorization to permit or deny the user access to functions within your script. If you're wanting to permit access to the script itself, consider doing this in the web server configuration as well. Your script can then work under the assumption that if the script is being called, the user is allowed to do so.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://200475]
Approved by adrianh
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others musing on the Monastery: (5)
As of 2024-04-15 06:44 GMT
Find Nodes?
    Voting Booth?

    No recent polls found