Project

General

Profile

Feature #2652

[patch] Add additional SSL env variables for strict client certificate authentication and authorization

Added by jbenden about 5 years ago. Updated almost 4 years ago.

Status:
Duplicate
Priority:
Normal
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:

Description

  1. OpenSSL Client Authentication

The OpenSSL client authentication environment variables introduced
allow for fine grain access control to be achieved via external
CGI, FastCGI, and SCGI processes. Enabling client certificate
verification in tandem with these changes enables securing CGI,
FastCGI, and SCGI programs beyond current authentication methods.
This authentication is more desirable than plain username and
password authentication methods.

The following newly introduced CGI environment variables are exported
for usage in authorizing client certificates for the necessary levels
of authorization within CGI, FastCGI, and SCGI processes:

1. SSL_CLIENT_SERIAL_NUMBER: The certificates serial number expressed as a numeric or hexidecimal string.
2. SSL_CLIENT_FINGERPRINT: The certificates SHA fingerprint expressed as a hexidecimal string.
3. SSL_CLIENT_CERT: A boolean flag specifying wether or not a client SSL certificate was present. Valid values are "true" and "false".

  1. Usage Example

An example of usage is to completely secure a Drupal installation by
requiring all users of the system to have client certificates and
authorizing the client based on their SSL certificate fingerprint.

In securing the Drupal installation in this way, it becomes nearly
impossible to access the administrative area without having a
client certificate and authorization based on the unique SHA
fingerprint of the client certificate.

When used in this way, Drupal becomes very secure against unwanted
users accessing parts of Drupal they should not.


Files

openssl_client_authentication.patch (9.09 KB) openssl_client_authentication.patch Patch to add SSL env variables to CGI, FastCGI, and SCGI jbenden, 2015-07-04 21:12

Related issues

Related to Feature #2511: pass protocol and cipher details to fcgi envFixed2013-09-06Actions
Is duplicate of Feature #2268: Set serial number of the client certificate into environmentFixed2010-10-23Actions
#1

Updated by gstrauss over 4 years ago

  • Category changed from core to TLS
#2

Updated by gstrauss about 4 years ago

  • Missing in 1.5.x deleted (Yes)
#3

Updated by gstrauss almost 4 years ago

  • Related to Feature #2268: Set serial number of the client certificate into environment added
#4

Updated by gstrauss almost 4 years ago

  • Related to Feature #2511: pass protocol and cipher details to fcgi env added
#5

Updated by gstrauss almost 4 years ago

  • Status changed from New to Duplicate
  • Target version changed from 1.4.x to 1.4.42

Your patch does not follow established naming conventions http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars
#2268 provided a patch for SSL_CLIENT_M_SERIAL (the conventional name) about 5 years prior to you filing this feature request for
SSL_CLIENT_SERIAL_NUMBER. Also, your patch provides SSL_CLIENT_CERT with "true" or "false" as value, when SSL_CLIENT_CERT is expected by many to contain the PEM-encoded client certificate, and which lighttpd already provides if ssl.verifyclient.exportcert = "enable" is set in lighttpd.conf.

While lighttpd does not provide the remaining addition in your patch (SSL_CLIENT_FINGERPRINT), you can generate the fingerprint yourself if you have enabled export of the PEM-encoded client certificate in SSL_CLIENT_CERT.

Given the above, this issue is being marked a duplicate of #2268.

#6

Updated by gstrauss almost 4 years ago

  • Related to deleted (Feature #2268: Set serial number of the client certificate into environment)
#7

Updated by gstrauss almost 4 years ago

  • Is duplicate of Feature #2268: Set serial number of the client certificate into environment added

Also available in: Atom