Pablo Averbuj wrote:
> On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:
>>I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory
>>that--via some Apache directives--forces client SSL connections and client cert
>>authentication. So, the SOAP client connects, we exchange certs, exchange SOAP
>>messages, and go on our merry ways.
>>After the client authN, I would like to add client authZ by getting a handle on
>>the cert, extracting it's IP address (or any other cert attributes), and
>>comparing that against a list of "allowed" IPs. I could simply add the
>>appropriate directives to the .htaccess file (i.e. make Apache do the check),
>>but I'd like to do this check for each CGI SOAP server in the directory, because
>>each server offers a different set of SOAP services, and different clients
>>should be authZ'ed for only certain services.
> I'm not an expert, so it's quite likely I'm wrong, but it sounds
> like this isn't particular to SOAP::Lite at all. It seems like
> apache creates a bunch of environment variables for HTTPS
> connections that you can access and may be useful.
> Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if
> you don't want the DN.
> I'm also confused by the whole IP issue. It would seem me that if
> you want to restrict based on IP, you can use the standard CGI
> environment variables for the remote host (REMOTE_ADDR) and not
> trouble yourself with the SSL certificate at all. However, if
> you're using the SSL certificates for authentication (so that IP
> addresses don't matter) then you probably want to look at the
> certificate chain to make sure it terminates in a trusted source
> and the DN is authorized.
Just wanted to tie this thread up. Yes, you are right: certificate information
(e.g. DN, CN) is available to Apache, and to CGI program via env vars. And,
this happens at the security (SSL) level, which doesn't really include SOAP
(ignoring the various SOAP-sec standards in the works). So, my authN/authZ
steps can be handled by either apache directives or my CGIs before the SOAP
request is handled.
Also, you're right about the IP/cert confusion--IP restriction can be
unnecessarily restrictive or just plain unnecessary, and actually has little to
do with certs. I would really be checking the cert's CN or DN against a known list.
Thanks for the input,
Oh, and sorry for cluttering the list with SSL stuff. Perhaps it'll help out
the next guy, tho... ;)