I'm re-implementing support for RFC5878 (TLS authorization extensions) in OpenSSL and subsequently mod_ssl.
I am working on contributing back the OpenSSL changes and would like to contribute back the mod_ssl changes. A little RFC5878 background: Client sends a TLS extension representing the auth format(s) it supports. If the server supports the auth format(s), it sends back the same TLS extension. If either side needs to send data, the data is sent in the supplemental data message. Apps may choose to do this only during renegotiation. I have working versions of OpenSSL and mod_ssl which exercise RFC5878 with DTCP-based authorization - a new RFC is in-progress to support DTCP-based authorization in RFC5878. The current only implements support for DTCP-based authorization - it doesn't provide support for the AuthzDataFormats defined in RFC5878. Hhowever, the OpenSSL API doesn't change, and implementing mod_ssl support for the other AuthzDataFormats should be straightforward. DTCP-based authorization requires the server to send supplemental data, and the client to send supplemental data back to the server. At that point, the server sets a DTCP_VALIDATION_SUCCESSFUL variable so that CGI scripts know authorization was successful. I've filed https://issues.apache.org/bugzilla/show_bug.cgi?id=54987 with details and links to the OpenSSL and mod_ssl changes, requesting feedback on the current implementation. Any comments/suggestions appreciated. I understand it may make sense to hold off on accepting this contribution until the OpenSSL contribution has been accepted and the DTCP RFC is complete, but I thought I would solicit feedback now, as those other processes are in-progress now. Thanks much, Scott