Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] SOAP and SSL Client Certificates

Expand Messages
  • Byrne Reese
    Totally agree. There should *at least* be a mention in the userguide, or a reference to the CryptSSLeay documentation on the subject. And yes, the environment
    Message 1 of 9 , Oct 9, 2002
    • 0 Attachment
      Totally agree. There should *at least* be a mention in the userguide, or
      a reference to the CryptSSLeay documentation on the subject. And yes,
      the environment variables are the way to.

      Obviously. Doh!

      There is a caveat to this: you can only use one client cert per process.
      Once the SSL library initializes itself, you can't change the cert you
      are using...

      On Wed, 2002-10-09 at 08:54, Ajit Deshpande wrote:
      > On Wed, Oct 09, 2002 at 08:22:51AM -0700, Byrne Reese wrote:
      > > [..]
      > > the service via HTTPS. As for client certificate based authentication...
      > > let me get back to you. We solved this at GCC, but I have to dig through
      > > some code. Let me ping an engineer who got this working and see if he
      > > can help.
      >
      > Concidentally, I was just researching this yesterday! i.e. how to do SSL
      > Client Certificate authentication from a perl client using SOAP::Lite.
      > And my research led to the same conclusion as yours above:
      > i.e. simply use an https://blah as your proxy for the SSL connection.
      >
      > Now, as regards the Client certificate, the trick seems to lie in
      > the declaring an environment variable. The following is from the
      > Crypt::SSLeay documentation:
      >
      > [..]
      > use LWP::UserAgent;
      > my $ua = new LWP::UserAgent;
      > my $req = new HTTP::Request('GET', 'https://www.nodeworks.com');
      > my $res = $ua->request($req);
      > print $res->code."\n";
      >
      > # PROXY SUPPORT
      > $ENV{HTTPS_PROXY} = 'http://proxy_hostname_or_ip:port';
      >
      > # PROXY_BASIC_AUTH
      > $ENV{HTTPS_PROXY_USERNAME} = 'username';
      > $ENV{HTTPS_PROXY_PASSWORD} = 'password';
      >
      > # DEFAULT SSL VERSION
      > $ENV{HTTPS_VERSION} = '3';
      >
      > # CLIENT CERT SUPPORT
      > $ENV{HTTPS_CERT_FILE} = 'certs/notacacert.pem';
      > $ENV{HTTPS_KEY_FILE} = 'certs/notacakeynopass.pem';
      >
      > # CA CERT PEER VERIFICATION
      > $ENV{HTTPS_CA_FILE} = 'certs/ca.crt';
      > $ENV{HTTPS_CA_DIR} = 'certs/';
      > [..]
      >
      > I haven't yet implemented the system -- but just thought I'd share this
      > with the list, since it was quite frustratting to track down the above
      > information for me :)
      >
      > Maybe, we could put in a blurb in SOAP::Lite documentation. Also, there
      > needs to be a blurb in the LWP::UserAgent documentation -- because that
      > is where people first start looking.
      >
      > Ajit
      >
      --
      :/ byrne

      Program Manager
      Grand Central Communications
      breese@...
    • simon.fairey@ft.com
      Thanks for all the help, greatly appreciated. From looking at things I think I m going to go with a https://user:pass@blah type of access as that should be
      Message 2 of 9 , Oct 10, 2002
      • 0 Attachment
        Thanks for all the help, greatly appreciated. From looking at things I think I'm going to go with a "https://user:pass@blah" type of access as that should be sufficient security and especially as the client will ultimately be written by someone else using Python. I wanted to try and get the Perl client working to test it and think I still may try and get the certs to work for my own peace of mind anyway :-)

        Thanks again

        Si



        Ajit Deshpande <ajit@...>
        Sent by: Ajit Deshpande <ajit@...>

        09/10/2002 15:54

               
                To:        Byrne Reese <breese@...>
                cc:        Simon.Fairey@..., John Hartnup <john@...>, SOAP Lite Mailing List <soaplite@yahoogroups.com>
                Subject:        Re: [soaplite] SOAP and SSL Client Certificates



        On Wed, Oct 09, 2002 at 08:22:51AM -0700, Byrne Reese wrote:
        > [..]
        > the service via HTTPS. As for client certificate based authentication...
        > let me get back to you. We solved this at GCC, but I have to dig through
        > some code. Let me ping an engineer who got this working and see if he
        > can help.

        Concidentally, I was just researching this yesterday! i.e. how to do SSL
        Client Certificate authentication from a perl client using SOAP::Lite.
        And my research led to the same conclusion as yours above:
        i.e. simply use an https://blah as your proxy for the SSL connection.

        Now, as regards the Client certificate, the trick seems to lie in
        the declaring an environment variable. The following is from the
        Crypt::SSLeay documentation:

        [..]
        use LWP::UserAgent;
        my $ua = new LWP::UserAgent;
        my $req = new HTTP::Request('GET', 'https://www.nodeworks.com');
        my $res = $ua->request($req);
        print $res->code."\n";


        # PROXY SUPPORT
        $ENV{HTTPS_PROXY} = 'http://proxy_hostname_or_ip:port';


        # PROXY_BASIC_AUTH
        $ENV{HTTPS_PROXY_USERNAME} = 'username';
        $ENV{HTTPS_PROXY_PASSWORD} = 'password';


        # DEFAULT SSL VERSION
        $ENV{HTTPS_VERSION} = '3';


        # CLIENT CERT SUPPORT
        $ENV{HTTPS_CERT_FILE} = 'certs/notacacert.pem';
        $ENV{HTTPS_KEY_FILE}  = 'certs/notacakeynopass.pem';


        # CA CERT PEER VERIFICATION
        $ENV{HTTPS_CA_FILE}   = 'certs/ca.crt';
        $ENV{HTTPS_CA_DIR}    = 'certs/';

        [..]

        I haven't yet implemented the system -- but just thought I'd share this
        with the list, since it was quite frustratting to track down the above
        information for me :)

        Maybe, we could put in a blurb in SOAP::Lite documentation. Also, there
        needs to be a blurb in the LWP::UserAgent documentation -- because that
        is where people first start looking.

        Ajit



        This email may contain confidential material. If you were not an
        intended recipient, please notify the sender and delete all copies.
        We may monitor email to and from our network.
      Your message has been successfully submitted and would be delivered to recipients shortly.