Loading ...
Sorry, an error occurred while loading the content.

Client cert authZ

Expand Messages
  • Trevor Leffler
    Hello all, I ve got a SOAP::Lite server (just a CGI, really) that lives in a directory that--via some Apache directives--forces client SSL connections and
    Message 1 of 3 , Apr 30, 2003
    • 0 Attachment
      Hello all,

      I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
      that--via some Apache directives--forces client SSL connections and client cert
      authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
      messages, and go on our merry ways.

      After the client authN, I would like to add client authZ by getting a handle on
      the cert, extracting it's IP address (or any other cert attributes), and
      comparing that against a list of "allowed" IPs. I could simply add the
      appropriate directives to the .htaccess file (i.e. make Apache do the check),
      but I'd like to do this check for each CGI SOAP server in the directory, because
      each server offers a different set of SOAP services, and different clients
      should be authZ'ed for only certain services.

      Any thoughts? Does SOAP::Transport::HTTP provide access to client certs? Am I
      going about this the wrong way?

      Thanks for any input, or especially pointers to code examples, etc.
      --
      Trevor Leffler, Software Developer
      PETTT / Ed-Tech Development Group
      Educational Partnerships & Learning Technologies
      University of Washington
      (206) 616-3406 / OUGL 230, Box 353080
    • Pablo Averbuj
      ... I m not an expert, so it s quite likely I m wrong, but it sounds like this isn t particular to SOAP::Lite at all. It seems like apache creates a bunch of
      Message 2 of 3 , Apr 30, 2003
      • 0 Attachment
        On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:
        > I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
        > that--via some Apache directives--forces client SSL connections and client cert
        > authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
        > messages, and go on our merry ways.
        >
        > After the client authN, I would like to add client authZ by getting a handle on
        > the cert, extracting it's IP address (or any other cert attributes), and
        > comparing that against a list of "allowed" IPs. I could simply add the
        > appropriate directives to the .htaccess file (i.e. make Apache do the check),
        > but I'd like to do this check for each CGI SOAP server in the directory, because
        > each server offers a different set of SOAP services, and different clients
        > should be authZ'ed for only certain services.

        I'm not an expert, so it's quite likely I'm wrong, but it sounds
        like this isn't particular to SOAP::Lite at all. It seems like
        apache creates a bunch of environment variables for HTTPS
        connections that you can access and may be useful.

        http://www.apache-ssl.org/docs.html#CGI

        Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if
        you don't want the DN.

        I'm also confused by the whole IP issue. It would seem me that if
        you want to restrict based on IP, you can use the standard CGI
        environment variables for the remote host (REMOTE_ADDR) and not
        trouble yourself with the SSL certificate at all. However, if
        you're using the SSL certificates for authentication (so that IP
        addresses don't matter) then you probably want to look at the
        certificate chain to make sure it terminates in a trusted source
        and the DN is authorized.

        HTH,
        -Pablo
      • Trevor Leffler
        ... Just wanted to tie this thread up. Yes, you are right: certificate information (e.g. DN, CN) is available to Apache, and to CGI program via env vars.
        Message 3 of 3 , May 2 5:07 PM
        • 0 Attachment
          Pablo Averbuj wrote:
          > On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:
          >
          >>I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
          >>that--via some Apache directives--forces client SSL connections and client cert
          >>authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
          >>messages, and go on our merry ways.
          >>
          >>After the client authN, I would like to add client authZ by getting a handle on
          >>the cert, extracting it's IP address (or any other cert attributes), and
          >>comparing that against a list of "allowed" IPs. I could simply add the
          >>appropriate directives to the .htaccess file (i.e. make Apache do the check),
          >>but I'd like to do this check for each CGI SOAP server in the directory, because
          >>each server offers a different set of SOAP services, and different clients
          >>should be authZ'ed for only certain services.
          >
          >
          > I'm not an expert, so it's quite likely I'm wrong, but it sounds
          > like this isn't particular to SOAP::Lite at all. It seems like
          > apache creates a bunch of environment variables for HTTPS
          > connections that you can access and may be useful.
          >
          > http://www.apache-ssl.org/docs.html#CGI
          >
          > Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if
          > you don't want the DN.
          >
          > I'm also confused by the whole IP issue. It would seem me that if
          > you want to restrict based on IP, you can use the standard CGI
          > environment variables for the remote host (REMOTE_ADDR) and not
          > trouble yourself with the SSL certificate at all. However, if
          > you're using the SSL certificates for authentication (so that IP
          > addresses don't matter) then you probably want to look at the
          > certificate chain to make sure it terminates in a trusted source
          > and the DN is authorized.
          >
          > HTH,
          > -Pablo

          Just wanted to tie this thread up. Yes, you are right: certificate information
          (e.g. DN, CN) is available to Apache, and to CGI program via env vars. And,
          this happens at the security (SSL) level, which doesn't really include SOAP
          (ignoring the various SOAP-sec standards in the works). So, my authN/authZ
          steps can be handled by either apache directives or my CGIs before the SOAP
          request is handled.

          Also, you're right about the IP/cert confusion--IP restriction can be
          unnecessarily restrictive or just plain unnecessary, and actually has little to
          do with certs. I would really be checking the cert's CN or DN against a known list.

          Thanks for the input,
          Oh, and sorry for cluttering the list with SSL stuff. Perhaps it'll help out
          the next guy, tho... ;)
          --Trevor
        Your message has been successfully submitted and would be delivered to recipients shortly.