My problem: I need to authenticate based on certificates from multiple, unrelated CA's. Because FakeBasicAuth only maps on the subject, it won't work on it's own; a hacker could register the same subject name with a different (but still accepted CA). My first attempt to work around this was to use a fastcgi authenticator, but apparently the fastcgi authenticator can't access the client certificate, even if +ExportCertData is set. So unless I'm missing something, I'm off to hack the source code. I'm interested in opinions on how this hack would be most useful to the mod_ssl community. Some options: 1. Make sure that a fastcgi authenticator gets the client cert 2. +FakeBasicAuth2: Use a hash of all the signed information instead of just the subject. This is easily extracted from the certificate 3. Modify the SSLRequire expression language to allow user defined functions. Thanks, Jim ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
