Loading ...
Sorry, an error occurred while loading the content.

SSL certificate authentication

Expand Messages
  • Taras Shkvarchuk
    Hello, I was wandering if any of you have been playing around with certificate authentication? I need to have SSL certificate authentication for client and
    Message 1 of 4 , Jul 31, 2001
    • 0 Attachment
      Hello,
      I was wandering if any of you have been playing around with certificate
      authentication?
      I need to have SSL certificate authentication for client and server
      implementations. So if any of you have any ideas where to start looking, I
      would be grateful for any pointers.

      Paul, were you planning on adding certificate support to SOAP::Lite in the
      future?

      Thanks,
      Taras
    • Michael Percy
      Taras, I was looking at this today actually, although I did not get very far. Promising modules look like: Server: - NET::SSLeay by Sampo Kellomaki
      Message 2 of 4 , Jul 31, 2001
      • 0 Attachment
        Taras,
        I was looking at this today actually, although I did not get very far.
        Promising modules look like:

        Server:
        - NET::SSLeay by Sampo Kellomaki
        <http://search.cpan.org/search?dist=Net_SSLeay.pm>
        - Net::Daemon::SSL by Michael Kulakov
        <http://search.cpan.org/search?dist=Net-Daemon-SSL>

        Client:
        - Crypt::SSLeay by Joshua Chamas
        <http://search.cpan.org/search?dist=Crypt-SSLeay>

        NET::SSLeay by Sampo was recommended in some docs I read somewhere (I think
        for Crypt::SSLeay). I am looking to tackle getting this to work with
        SOAP::Transport::HTTP::Daemon in the near future, so if you make any
        progress please be open about it, if you can :) Maybe we can get it into the
        distribution and save some work for Paul.

        HTH,
        Mike

        > -----Original Message-----
        > From: Taras Shkvarchuk [mailto:tshkvarchuk@...]
        > Sent: Tuesday, July 31, 2001 3:33 PM
        > To: 'soaplite@yahoogroups.com'
        > Subject: [soaplite] SSL certificate authentication
        >
        >
        > Hello,
        > I was wandering if any of you have been playing around with
        > certificate
        > authentication?
        > I need to have SSL certificate authentication for client and server
        > implementations. So if any of you have any ideas where to
        > start looking, I
        > would be grateful for any pointers.
        >
        > Paul, were you planning on adding certificate support to
        > SOAP::Lite in the
        > future?
        >
        > Thanks,
        > Taras
        >
        > ------------------------ Yahoo! Groups Sponsor
        > ---------------------~-->
        > Small business owners...
        > Tell us what you think!
        > http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/W6uqlB/TM
        > --------------------------------------------------------------
        > -------~->
        >
        > To unsubscribe from this group, send an email to:
        > soaplite-unsubscribe@yahoogroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to
        > http://docs.yahoo.com/info/terms/
        >
        >
      • Paul Kulchenko
        Hi, Michael! Thanks for the help :). There is also IO::Socket::SSL that I used for TCP transport (it should also support SSL, even if it s not documented). I
        Message 3 of 4 , Jul 31, 2001
        • 0 Attachment
          Hi, Michael!

          Thanks for the help :). There is also IO::Socket::SSL that I used for
          TCP transport (it should also support SSL, even if it's not
          documented). I DO plan to add support for it for Daemon
          implementation (Net::Daemon::SSL is basically hack around
          IO::Socket::SSL as far as I remember and I plan to do the similar
          thing) and HTTP client. Seems like it might be done transparently
          (you'll need to provide additional parameters for proxy SSL_*), but I
          didn't go deep yet. I'm working on it and any help would be greatly
          appreciated.

          Best wishes, Paul.

          --- Michael Percy <mpercy@...> wrote:
          > Taras,
          > I was looking at this today actually, although I did not get very
          > far.
          > Promising modules look like:
          >
          > Server:
          > - NET::SSLeay by Sampo Kellomaki
          > <http://search.cpan.org/search?dist=Net_SSLeay.pm>
          > - Net::Daemon::SSL by Michael Kulakov
          > <http://search.cpan.org/search?dist=Net-Daemon-SSL>
          >
          > Client:
          > - Crypt::SSLeay by Joshua Chamas
          > <http://search.cpan.org/search?dist=Crypt-SSLeay>
          >
          > NET::SSLeay by Sampo was recommended in some docs I read somewhere
          > (I think
          > for Crypt::SSLeay). I am looking to tackle getting this to work
          > with
          > SOAP::Transport::HTTP::Daemon in the near future, so if you make
          > any
          > progress please be open about it, if you can :) Maybe we can get it
          > into the
          > distribution and save some work for Paul.
          >
          > HTH,
          > Mike
          >
          > > -----Original Message-----
          > > From: Taras Shkvarchuk [mailto:tshkvarchuk@...]
          > > Sent: Tuesday, July 31, 2001 3:33 PM
          > > To: 'soaplite@yahoogroups.com'
          > > Subject: [soaplite] SSL certificate authentication
          > >
          > >
          > > Hello,
          > > I was wandering if any of you have been playing around with
          > > certificate
          > > authentication?
          > > I need to have SSL certificate authentication for client and
          > server
          > > implementations. So if any of you have any ideas where to
          > > start looking, I
          > > would be grateful for any pointers.
          > >
          > > Paul, were you planning on adding certificate support to
          > > SOAP::Lite in the
          > > future?
          > >
          > > Thanks,
          > > Taras
          > >
          > > ------------------------ Yahoo! Groups Sponsor
          > > ---------------------~-->
          > > Small business owners...
          > > Tell us what you think!
          > > http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/W6uqlB/TM
          > > --------------------------------------------------------------
          > > -------~->
          > >
          > > To unsubscribe from this group, send an email to:
          > > soaplite-unsubscribe@yahoogroups.com
          > >
          > >
          > >
          > > Your use of Yahoo! Groups is subject to
          > > http://docs.yahoo.com/info/terms/
          > >
          > >
          >
          > ------------------------ Yahoo! Groups Sponsor
          >
          > To unsubscribe from this group, send an email to:
          > soaplite-unsubscribe@yahoogroups.com
          >
          >
          >
          > Your use of Yahoo! Groups is subject to
          > http://docs.yahoo.com/info/terms/
          >
          >


          __________________________________________________
          Do You Yahoo!?
          Make international calls for as low as $.04/minute with Yahoo! Messenger
          http://phonecard.yahoo.com/
        • Taras Shkvarchuk
          Hi all, I got the certificate authentication working but in unix only for now. I have had some problems installing Crypt::SSLeay 0.29 in windows. The 0.29
          Message 4 of 4 , Aug 6, 2001
          • 0 Attachment
            Hi all,
            I got the certificate authentication working but in unix only for now. I
            have had some problems installing Crypt::SSLeay 0.29 in windows.
            The 0.29 version doesn't support setting password for the private key, gives
            you a prompt, so I had to make a small patch.
            To use the certificates you need to set 3 environment vars. HTTPS_CERT_FILE,
            HTTPS_KEY_FILE, HTTPS_CERT_PASS. (CERT_FILE, and KEY_FILE are often the same
            file) Everything else will be taken care of by the Crypt::SSLeay module.

            Hope it helps.
            -Taras

            Here is the simple patch(needed only if you using encripted private key, and
            don't want a user prompt).

            use Net::SSL;
            package Net::SSL;
            use GC::Cert;
            sub configure_certs {
            my $self = shift;
            my $ctx = *$self->{ssl_ctx};
            my $c_pass= $ENV{'HTTPS_CERT_PASS'};
            eval{

            if($c_pass){GC::Cert::SSL_CTX_set_default_passwd_cb_userdata($ctx,$c_pass);}
            };
            if($@){ print "\nNet:SSL Error:".$@."\n"; }
            my $count = 0;
            for ('HTTPS_CERT_FILE', 'HTTPS_KEY_FILE') {
            my $file = $ENV{$_};
            if($file) {
            (-e $file) or die("$file file does not exist: $!");
            $count++;
            if (/CERT/) {
            $ctx->use_certificate_file($file ,1) || die("failed to load
            $file: $!");
            } elsif (/KEY/) {
            $ctx->use_PrivateKey_file($file, 1) || die("failed to load
            $file: $!");
            } else {
            die("setting $_ not supported");
            }
            }
            }

            # if both configs are set, then verify them
            if (($count == 2)) {
            if (! $ctx->check_private_key) {
            die("Private key and certificate do not match");
            }
            }

            $count; # number of successful cert loads/checks
            }



            Here is the xs file for actually setting the password.
            #ifdef __cplusplus
            extern "C" {
            #endif
            #include "EXTERN.h"
            #include "perl.h"
            #include "XSUB.h"

            /* ssl.h or openssl/ssl.h is included from the crypt_ssleay_version
            * file which is written when building with perl Makefile.PL
            * #include "ssl.h"
            */
            #include "openssl/ssl.h"

            #ifdef __cplusplus
            }
            #endif


            MODULE = GC::Cert PACKAGE = GC::Cert
            PROTOTYPES: DISABLE
            void
            SSL_CTX_set_default_passwd_cb_userdata(ctx, pass)
            SSL_CTX* ctx
            char* pass


            here is Cert.pm
            package GC::Cert;

            require 5.005_62;
            use strict;
            use warnings;

            require Exporter;
            require DynaLoader;

            our @ISA = qw(Exporter DynaLoader);

            # Items to export into callers namespace by default. Note: do not export
            # names by default without a very good reason. Use EXPORT_OK instead.
            # Do not simply export all your public functions/methods/constants.

            # This allows declaration use GC::Cert ':all';
            # If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
            # will save memory.
            our %EXPORT_TAGS = ( 'all' => [ qw(

            ) ] );

            our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );

            our @EXPORT = qw(

            );
            our $VERSION = '0.01';

            bootstrap GC::Cert $VERSION;

            # Preloaded methods go here.

            1;
          Your message has been successfully submitted and would be delivered to recipients shortly.