Right now, mod_gnutls uses a flat-file SRP verifier to store SRP user params for TLS-SRP. I would like to implement a database backend similar to mod_authn_dbd so that mod_gnutls can query an SQL database for a user's SRP parameters.
This would let mod_gnutls integrate well with Web apps that already do their own user management. I already have a TLS-SRP WordPress plugin[1] and Django app[2] that would benefit greatly from this feature. Currently, I have to modify the SRP passwd file and keep it in sync with the apps' own user DBs, which is a pain and would not scale (due to flat-file concurrency issues). With something like GNUTLSSRPPasswdQuery, however, it would be very easy for these apps to use TLS-SRP. It would be a great use case for mod_gnutls, too: site owners could enable SSL on WordPress and Django just by installing mod_gnutls and my plugins, with no certficate needed. For example, instead of just being able to specify: GnuTLSSRPPasswdFile /path/to/passwd.srpv I would like to be able to specify something like: DBDriver mysql DBDParams "dbname=srpauth user=apache password=xxxxxx" DBDPrepareSQL "SELECT srpN, srpg, srpv, srps FROM srpusers WHERE user = %s" srp_lookup_user GNUTLSSRPPasswdQuery srp_lookup_user Unfortunately, mod_authn_dbd (or other mod_authn_*) can't be used directly (without patches to Apache httpd core), since AuthDBDUserPWQuery, AuthUserFile, etc., are only valid in directory configs. Also, they only expose functions for looking up HTTP Basic and Digest values. In the longer term, I would like to make them usable for TLS SRP/PAKE authentication (by both mod_gnutls and mod_ssl[3]) by adding a srp_lookup_user function. That'll take a long time, however. I am prepared to submit a patch that implements the GNUTLSSRPPasswdQuery feature in the next couple of weeks, but I wanted to solicit feedback on (1) whether this is the best way to do this and (2) if the mod_gnutls maintainers would accept this patch, even though it slightly (and unavoidably, without httpd core changes) duplicates mod_authn_dbd. [1] http://trustedhttp.org/wiki/TLS-SRP_Authentication_in_WordPress [2] http://trustedhttp.org/wiki/TLS-SRP_in_Django [3] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_ssl -Quinn _______________________________________________ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules