Hello, The TLS unique value is no longer available in TLS 1.3 version. I don't know if the RFC 7030 will bring some update on it.
Anayway, back to TLS 1.2 version, where this value is available. I would like to implement the recommendation of the RFC 7030 section 3.5 <https://datatracker.ietf.org/doc/html/rfc7030#section-3.5>, which consists in proving that the client that signed the CSR is the same client that has established TLS communication with OpenXPKI server. I have an EST Golang client that is able to retrieve it. I have a static challenge password defined in EST server (OpenXPKI EST realm yaml file) I'm sending a CSR with the same challenge password that I defined in OpenXPKI, and it works. [What I want] I would like to use the same approach as in authentication : NoAuth handler that is consuming Apache environment variable to retrieve information such as the username (http basic auth). Basically, 1- the challenge password would be retrieved from the incoming EST enroll request, 2- OpenXPKI consumes that TLS unique value from the incoming request and assigns it to the EST challenge password field that is defined in EST yaml file 3- The OpenXPKI defined workflow remains the same : compare challenge password in the CSR to the challenge password in the EST yaml file (assigned dynamically, at runtime) I haven't seen much about how this TLS value can be retrieved from Apache, perhaps this something OpenXPKI community has already solved. Or perhaps, there is a better approach other than consuming it from Apache environment. Thanks, Mohamed
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
