Loading ...
Sorry, an error occurred while loading the content.
 

Re: [soaplite] Client cert authZ

Expand Messages
  • Pablo Averbuj
    ... I m not an expert, so it s quite likely I m wrong, but it sounds like this isn t particular to SOAP::Lite at all. It seems like apache creates a bunch of
    Message 1 of 3 , Apr 30, 2003
      On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:
      > I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
      > that--via some Apache directives--forces client SSL connections and client cert
      > authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
      > messages, and go on our merry ways.
      >
      > After the client authN, I would like to add client authZ by getting a handle on
      > the cert, extracting it's IP address (or any other cert attributes), and
      > comparing that against a list of "allowed" IPs. I could simply add the
      > appropriate directives to the .htaccess file (i.e. make Apache do the check),
      > but I'd like to do this check for each CGI SOAP server in the directory, because
      > each server offers a different set of SOAP services, and different clients
      > should be authZ'ed for only certain services.

      I'm not an expert, so it's quite likely I'm wrong, but it sounds
      like this isn't particular to SOAP::Lite at all. It seems like
      apache creates a bunch of environment variables for HTTPS
      connections that you can access and may be useful.

      http://www.apache-ssl.org/docs.html#CGI

      Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if
      you don't want the DN.

      I'm also confused by the whole IP issue. It would seem me that if
      you want to restrict based on IP, you can use the standard CGI
      environment variables for the remote host (REMOTE_ADDR) and not
      trouble yourself with the SSL certificate at all. However, if
      you're using the SSL certificates for authentication (so that IP
      addresses don't matter) then you probably want to look at the
      certificate chain to make sure it terminates in a trusted source
      and the DN is authorized.

      HTH,
      -Pablo
    • Trevor Leffler
      ... Just wanted to tie this thread up. Yes, you are right: certificate information (e.g. DN, CN) is available to Apache, and to CGI program via env vars.
      Message 2 of 3 , May 2, 2003
        Pablo Averbuj wrote:
        > On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:
        >
        >>I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
        >>that--via some Apache directives--forces client SSL connections and client cert
        >>authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
        >>messages, and go on our merry ways.
        >>
        >>After the client authN, I would like to add client authZ by getting a handle on
        >>the cert, extracting it's IP address (or any other cert attributes), and
        >>comparing that against a list of "allowed" IPs. I could simply add the
        >>appropriate directives to the .htaccess file (i.e. make Apache do the check),
        >>but I'd like to do this check for each CGI SOAP server in the directory, because
        >>each server offers a different set of SOAP services, and different clients
        >>should be authZ'ed for only certain services.
        >
        >
        > I'm not an expert, so it's quite likely I'm wrong, but it sounds
        > like this isn't particular to SOAP::Lite at all. It seems like
        > apache creates a bunch of environment variables for HTTPS
        > connections that you can access and may be useful.
        >
        > http://www.apache-ssl.org/docs.html#CGI
        >
        > Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if
        > you don't want the DN.
        >
        > I'm also confused by the whole IP issue. It would seem me that if
        > you want to restrict based on IP, you can use the standard CGI
        > environment variables for the remote host (REMOTE_ADDR) and not
        > trouble yourself with the SSL certificate at all. However, if
        > you're using the SSL certificates for authentication (so that IP
        > addresses don't matter) then you probably want to look at the
        > certificate chain to make sure it terminates in a trusted source
        > and the DN is authorized.
        >
        > HTH,
        > -Pablo

        Just wanted to tie this thread up. Yes, you are right: certificate information
        (e.g. DN, CN) is available to Apache, and to CGI program via env vars. And,
        this happens at the security (SSL) level, which doesn't really include SOAP
        (ignoring the various SOAP-sec standards in the works). So, my authN/authZ
        steps can be handled by either apache directives or my CGIs before the SOAP
        request is handled.

        Also, you're right about the IP/cert confusion--IP restriction can be
        unnecessarily restrictive or just plain unnecessary, and actually has little to
        do with certs. I would really be checking the cert's CN or DN against a known list.

        Thanks for the input,
        Oh, and sorry for cluttering the list with SSL stuff. Perhaps it'll help out
        the next guy, tho... ;)
        --Trevor
      Your message has been successfully submitted and would be delivered to recipients shortly.