Loading ...
Sorry, an error occurred while loading the content.
 

RE: [soaplite] SSL certificate authentication

Expand Messages
  • Paul Kulchenko
    Hi, Michael! Thanks for the help :). There is also IO::Socket::SSL that I used for TCP transport (it should also support SSL, even if it s not documented). I
    Message 1 of 4 , Jul 31, 2001
      Hi, Michael!

      Thanks for the help :). There is also IO::Socket::SSL that I used for
      TCP transport (it should also support SSL, even if it's not
      documented). I DO plan to add support for it for Daemon
      implementation (Net::Daemon::SSL is basically hack around
      IO::Socket::SSL as far as I remember and I plan to do the similar
      thing) and HTTP client. Seems like it might be done transparently
      (you'll need to provide additional parameters for proxy SSL_*), but I
      didn't go deep yet. I'm working on it and any help would be greatly
      appreciated.

      Best wishes, Paul.

      --- Michael Percy <mpercy@...> wrote:
      > Taras,
      > I was looking at this today actually, although I did not get very
      > far.
      > Promising modules look like:
      >
      > Server:
      > - NET::SSLeay by Sampo Kellomaki
      > <http://search.cpan.org/search?dist=Net_SSLeay.pm>
      > - Net::Daemon::SSL by Michael Kulakov
      > <http://search.cpan.org/search?dist=Net-Daemon-SSL>
      >
      > Client:
      > - Crypt::SSLeay by Joshua Chamas
      > <http://search.cpan.org/search?dist=Crypt-SSLeay>
      >
      > NET::SSLeay by Sampo was recommended in some docs I read somewhere
      > (I think
      > for Crypt::SSLeay). I am looking to tackle getting this to work
      > with
      > SOAP::Transport::HTTP::Daemon in the near future, so if you make
      > any
      > progress please be open about it, if you can :) Maybe we can get it
      > into the
      > distribution and save some work for Paul.
      >
      > HTH,
      > Mike
      >
      > > -----Original Message-----
      > > From: Taras Shkvarchuk [mailto:tshkvarchuk@...]
      > > Sent: Tuesday, July 31, 2001 3:33 PM
      > > To: 'soaplite@yahoogroups.com'
      > > Subject: [soaplite] SSL certificate authentication
      > >
      > >
      > > Hello,
      > > I was wandering if any of you have been playing around with
      > > certificate
      > > authentication?
      > > I need to have SSL certificate authentication for client and
      > server
      > > implementations. So if any of you have any ideas where to
      > > start looking, I
      > > would be grateful for any pointers.
      > >
      > > Paul, were you planning on adding certificate support to
      > > SOAP::Lite in the
      > > future?
      > >
      > > Thanks,
      > > Taras
      > >
      > > ------------------------ Yahoo! Groups Sponsor
      > > ---------------------~-->
      > > Small business owners...
      > > Tell us what you think!
      > > http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/W6uqlB/TM
      > > --------------------------------------------------------------
      > > -------~->
      > >
      > > To unsubscribe from this group, send an email to:
      > > soaplite-unsubscribe@yahoogroups.com
      > >
      > >
      > >
      > > Your use of Yahoo! Groups is subject to
      > > http://docs.yahoo.com/info/terms/
      > >
      > >
      >
      > ------------------------ Yahoo! Groups Sponsor
      >
      > To unsubscribe from this group, send an email to:
      > soaplite-unsubscribe@yahoogroups.com
      >
      >
      >
      > Your use of Yahoo! Groups is subject to
      > http://docs.yahoo.com/info/terms/
      >
      >


      __________________________________________________
      Do You Yahoo!?
      Make international calls for as low as $.04/minute with Yahoo! Messenger
      http://phonecard.yahoo.com/
    • Taras Shkvarchuk
      Hi all, I got the certificate authentication working but in unix only for now. I have had some problems installing Crypt::SSLeay 0.29 in windows. The 0.29
      Message 2 of 4 , Aug 6 4:54 PM
        Hi all,
        I got the certificate authentication working but in unix only for now. I
        have had some problems installing Crypt::SSLeay 0.29 in windows.
        The 0.29 version doesn't support setting password for the private key, gives
        you a prompt, so I had to make a small patch.
        To use the certificates you need to set 3 environment vars. HTTPS_CERT_FILE,
        HTTPS_KEY_FILE, HTTPS_CERT_PASS. (CERT_FILE, and KEY_FILE are often the same
        file) Everything else will be taken care of by the Crypt::SSLeay module.

        Hope it helps.
        -Taras

        Here is the simple patch(needed only if you using encripted private key, and
        don't want a user prompt).

        use Net::SSL;
        package Net::SSL;
        use GC::Cert;
        sub configure_certs {
        my $self = shift;
        my $ctx = *$self->{ssl_ctx};
        my $c_pass= $ENV{'HTTPS_CERT_PASS'};
        eval{

        if($c_pass){GC::Cert::SSL_CTX_set_default_passwd_cb_userdata($ctx,$c_pass);}
        };
        if($@){ print "\nNet:SSL Error:".$@."\n"; }
        my $count = 0;
        for ('HTTPS_CERT_FILE', 'HTTPS_KEY_FILE') {
        my $file = $ENV{$_};
        if($file) {
        (-e $file) or die("$file file does not exist: $!");
        $count++;
        if (/CERT/) {
        $ctx->use_certificate_file($file ,1) || die("failed to load
        $file: $!");
        } elsif (/KEY/) {
        $ctx->use_PrivateKey_file($file, 1) || die("failed to load
        $file: $!");
        } else {
        die("setting $_ not supported");
        }
        }
        }

        # if both configs are set, then verify them
        if (($count == 2)) {
        if (! $ctx->check_private_key) {
        die("Private key and certificate do not match");
        }
        }

        $count; # number of successful cert loads/checks
        }



        Here is the xs file for actually setting the password.
        #ifdef __cplusplus
        extern "C" {
        #endif
        #include "EXTERN.h"
        #include "perl.h"
        #include "XSUB.h"

        /* ssl.h or openssl/ssl.h is included from the crypt_ssleay_version
        * file which is written when building with perl Makefile.PL
        * #include "ssl.h"
        */
        #include "openssl/ssl.h"

        #ifdef __cplusplus
        }
        #endif


        MODULE = GC::Cert PACKAGE = GC::Cert
        PROTOTYPES: DISABLE
        void
        SSL_CTX_set_default_passwd_cb_userdata(ctx, pass)
        SSL_CTX* ctx
        char* pass


        here is Cert.pm
        package GC::Cert;

        require 5.005_62;
        use strict;
        use warnings;

        require Exporter;
        require DynaLoader;

        our @ISA = qw(Exporter DynaLoader);

        # Items to export into callers namespace by default. Note: do not export
        # names by default without a very good reason. Use EXPORT_OK instead.
        # Do not simply export all your public functions/methods/constants.

        # This allows declaration use GC::Cert ':all';
        # If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
        # will save memory.
        our %EXPORT_TAGS = ( 'all' => [ qw(

        ) ] );

        our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );

        our @EXPORT = qw(

        );
        our $VERSION = '0.01';

        bootstrap GC::Cert $VERSION;

        # Preloaded methods go here.

        1;
      Your message has been successfully submitted and would be delivered to recipients shortly.