[patch] Add additional SSL env variables for strict client certificate authentication and authorization
- OpenSSL Client Authentication
The OpenSSL client authentication environment variables introduced
allow for fine grain access control to be achieved via external
CGI, FastCGI, and SCGI processes. Enabling client certificate
verification in tandem with these changes enables securing CGI,
FastCGI, and SCGI programs beyond current authentication methods.
This authentication is more desirable than plain username and
password authentication methods.
The following newly introduced CGI environment variables are exported
for usage in authorizing client certificates for the necessary levels
of authorization within CGI, FastCGI, and SCGI processes:
1. SSL_CLIENT_SERIAL_NUMBER: The certificates serial number expressed as a numeric or hexidecimal string.
2. SSL_CLIENT_FINGERPRINT: The certificates SHA fingerprint expressed as a hexidecimal string.
3. SSL_CLIENT_CERT: A boolean flag specifying wether or not a client SSL certificate was present. Valid values are "true" and "false".
- Usage Example
An example of usage is to completely secure a Drupal installation by
requiring all users of the system to have client certificates and
authorizing the client based on their SSL certificate fingerprint.
In securing the Drupal installation in this way, it becomes nearly
impossible to access the administrative area without having a
client certificate and authorization based on the unique SHA
fingerprint of the client certificate.
When used in this way, Drupal becomes very secure against unwanted
users accessing parts of Drupal they should not.
Updated by gstrauss almost 4 years ago
- Status changed from New to Duplicate
- Target version changed from 1.4.x to 1.4.42
Your patch does not follow established naming conventions http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars
#2268 provided a patch for SSL_CLIENT_M_SERIAL (the conventional name) about 5 years prior to you filing this feature request for
SSL_CLIENT_SERIAL_NUMBER. Also, your patch provides SSL_CLIENT_CERT with "true" or "false" as value, when SSL_CLIENT_CERT is expected by many to contain the PEM-encoded client certificate, and which lighttpd already provides if
ssl.verifyclient.exportcert = "enable" is set in lighttpd.conf.
While lighttpd does not provide the remaining addition in your patch (SSL_CLIENT_FINGERPRINT), you can generate the fingerprint yourself if you have enabled export of the PEM-encoded client certificate in SSL_CLIENT_CERT.
Given the above, this issue is being marked a duplicate of #2268.
Also available in: Atom