Alfredo, i don't know much pearl, but i think you can take information about
client cert
in module ssl_engine_kernel.c, from environment var by ssl_var_lookup, like
client cert in PEM
for example, or client email. But you have to set +Exporvar or smtg in
httpd.conf file of apache.
Than use it in your perl module. The problem is which way you intend to
perform
the ldap search, and over all, wich way you stored cert in ldap (i think der
format)
In that case the function i2d_X509_fp(FILE* FP, X509* xs) convert cert from
X509 to DER
in a file; or you can take cert der straight in module s3_srvr.c, function
get_client_certificates
from x or q (long l bytes).
Do you know smtg about ldap search (v2) on binary attribute (like cert der)
as filter ?
I can't do that yet.
-----Messaggio originale-----
Da: Alfredo Raul Pena <[EMAIL PROTECTED]>
A: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Data: venerd� 9 aprile 1999 3.19
Oggetto: Re: ocsp developing
>Hi,
>I am very interested.
>
>I have actually done something similar in spirit, but very different.
>Using mod_perl and an AuthHandler, I translate a FakeBasicAuthentication
>user (the certificate's SubjectDN) to an LDAP user with that SubjectDN
>in an special attribute. I was looking for a way to access other
>information of the certificate in order to compare it with the one
>stored in the LDAP or someting like that, but found that I have to
>access EAPI information from inside mod_perl and that is pending work.
>I handled what I did to Clayton Donley (author of PerLDAP and
>Apache-AuthLDAP modules), but he is very busy and never give me feedback
>on what I did. If any one is interested I can email a copy.
>
>I think your solution could be much better, and, with some time
>constraints, I offer to help with what I could.
>
>Regards, Alf
>
>Andrea e Luca Giacobazzi wrote:
>
>> Hi everybody, my name is Andrea Giacobazzi, and i'm developing a
>> patch for mod_sslexactly in function ssl_engine_kernel.c (look at
>> labels "Giacob") to realize an ocsp responderto verify client
>> certificate, during client authentication. It works with LDAP
>> directory v2 and lookfor the client cert in the directory: if it's
>> present set ocsp status GOOD else set ocsp statusSUSPENDED. you can
>> change the dierctory name in ldapservers var. Anyone interested on it
>> ? any hints ? I'd like to realize a complete ocsp responder for ldap,
>> and also http then, compliant withIETF directives (see ocsp draft) and
>> maybe include it in mod_ssl. I'd like also to submitthe activation of
>> ocsp check to the config file of apache server: how is possible to do
>> that? Thanks
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
