[EMAIL PROTECTED] wrote:
Is there a (reasonable) way to authenticate a client (browser) certificate from a CGI without having to modify the web server configuration.
What we are up against is that we produce a package that is supported on a variety of platforms and web servers. We have been informed the to meet security requirements we have to do a public-private key authentication of the user.
Thanks in advance for any insights or direction.
I'll give it a try and hope someone else will tell me when I'm wrong.
I don't think that you can activate client authentication without modifying whe web server configuration, since client authentication has to be requested during SSL handshake. To request a client cert you either have to know what you want before the connection is opened or you'll have to re-negotiate.
So since you (that is the CGI-script) do not handle the low level SSL-connection you'll need a way to tell the webserver that it should request a certificate from the client, and I doubt that you can do this if the server is not already configured to at least accept client certs.
Also I doubt that in your situation the CGI script can decide which certificate is valid since that should be a decision of the server's hostmaster and is usually handled by configuring the web server to use a certain list of root CAs.
--Richard
Hope it helps, Ted ;)
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
