cURL / Mailing Lists / curl-library / Single Mail


Re: htts SSLRequire feature

From: Xavier Jeannin <>
Date: Sun, 13 Oct 2002 12:25:10 +0200


Thank you for your first answer, I can see that my question was confused, I will
try to precise it here.

My purpose :
I want a user (browser) can directly connect in a Web application on a server
that I contol using only their certificat.
Every Web application (like TUTOS) possess a table of account for the people that
access to this application.
So a person has to supply a Login and a password for every Web application that
she can use.
As I can verify the certificat of person directly on my Web server and so I can
authenticate this person.
In fact, I try to suppress the login task into the Web application for the user.

My configuration :
I have done a program "logcertif.php" (PHP but It can be in other langage if it
needs) that simulate the login into the Web application TUTOS.
This program is in the same directory of the Web application TUTOS on the same
Web server, so TUTOS and "logcertif.php" are submitted to the same verification
from the web server.

 BROWSER with certificate----(HTTPS1)--> PHP program using curl ""
----(HTTPS2)--> TUTOS
--client---------------------------------|--------------------the server same

my program :


$ch = curl_init ('');
curl_setopt ($ch, CURLOPT_POSTFIELDS,
             array ('uname' => "$login",
                    'pw' => "$pass",
                   'dbnr' => '0',
                   'rien' => 'rien' ));
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie$login");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

# envoi du formulaire et recuperation du cookie et de la page html
$postResult = curl_exec ($ch);
curl_close ($ch);

# lecture du cookie sur disque
$fp = fopen("/tmp/cookie$login","r");
if (!$fp) {
      Echo ("UREC : /tmp/cookie$login : file unreadable");
while (!feof($fp)) {
    $line = fgets ($fp, 512);
    $regs = split(" +",trim($line));
    # si la ligne n'est pas un commentaire ou n'est pas juste un saut de ligne ou
n'est pas vide
    if (!((ereg("^#.*",$line,$res)) || (ereg("^\n",$line,$res)) ||
        # envoi du cookie au client

# effacement du fichier cookie sauvegarde sur le disque serveur
`rm /tmp/cookie$login`;

# envoi de la page html au client
echo $postResult;

If my apache configuration is :
<Directory "/xxx/xxx/TUTOS">
        SSLVerifyClient require
        SSLVerifyDepth 5
        AuthAuthoritative on
        Options -Indexes
        AllowOverride None
        Order allow,deny
it works fine (it was what I called only SSL)

If my apache configuration is :
<Directory "/xxx/xxx/TUTOS">
        SSLVerifyClient require
        SSLVerifyDepth 5
        SSLRequire %{SSL_CLIENT_S_DN_O} eq "XXX" \
                and %{SSL_CLIENT_S_DN_OU} eq "XXX" \
                and %{SSL_CLIENT_S_DN_Email} =~ m/
        AuthAuthoritative on
        Options -Indexes
        AllowOverride None
        Order allow,deny
my program 'logcertif.php' does not work, all others programs work fine in this

When you connect to "logcertif.php", apache verify the certificat and run
logcertificate.php but the connection to
"" failed.
SSL said that the expression " m/" is not matched.
Can get the information used for the first conection about the certificat and
send in my program logcertif.php for the second connection ?
In other word, is it possible the certificate follow in the second connection ?
Do you know if it is possible to do such connection ?

Thank you for your help and sorry for my poor english.
best regards
Xavier Jeannin

Daniel Stenberg wrote:

> On Sat, 12 Oct 2002, Xavier Jeannin wrote:
> > I am trying to perform a connection to a Web application (like TUTOS writed
> > in PHP) directly authenticated by my certificate. So I write a php program
> > "logcertif.php" thanks to cURL that performs the login on TUTOS based on
> > the information that I can collect in Apache environnement variable on the
> > user Certificate. cURL work fine if I use only SSL.
> "only SSL" ?
> > If I ask to Apach a "SSLRequire" order in apache configuration to select
> > who can use TUTOS, it does not work.
> Your PHP program uses curl to access a remote site, right? This "SSLRequire"
> keyword is used in the Apache that limits the access to your PHP program?
> So how can a limit in Apache that hinders wrong people to run your program
> affect curl, and how can curl know about that?
> > SSL complains, I suppose it is due because it is not the same SSL session
> > number between the browser to my program "logcertif.php" and my program
> > "logcertif.php" on my server to TUTOS on my server.
> I really don't follow you here. Are you saying that you browse the page with
> your PHP program using HTTPS and that fails? If so, how does that involve
> curl the slightest bit?
> I must be stupid, but I just don't understand what you're trying to do and
> how this can be a curl problem. Can you be somewhat more elaborate? Let me
> show you how I interpret what you describes:
> BROWSER ----(HTTPS1)--> your PHP program using curl ----(HTTPS2)--> TUTOS
> And you're having problem with the HTTPS1? Or are you saying that the HTTPS2
> connection is not working? What connection is the Apache serving that you
> have your SSLRequest in?
> > I have read in list archive that this feature is not implemented in cURL. I
> > have seen that this feature has been included in the ToDo list.
> > "Add an interface to libcurl that enables "session IDs" to get
> > exported/imported. Cris Bailiff said: "OpenSSL has functions which can
> > serialise the current SSL state to a buffer of your choice, and
> > recover/reset the state from such a buffer at a later date - this is used
> > by mod_ssl for apache to implement and SSL session ID cache". This whole
> > idea might become moot if we enable the 'data sharing' as mentioned in the
> > LIBCURL label above. "
> I think your confusing matters very much here. That missing feature would
> mainly be useful for SSL session ID caching to work between multiple curl
> handles (and similar). I can't see how that would make a difference to you.
> > Could you confirm you that it not for the moment possible to do what I want
> > with cURL ? If it is the case do you know if this feature will be
> > implemented ?
> I don't understand what you want to do yet!
> Perhaps someone else understood better and can supply a more accurate answer.
> > PS: Sorry if my question is not in the right list ?
> It seems like the right list, yes.
> --
> Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
> -------------------------------------------------------
> This email is sponsored by:ThinkGeek
> Welcome to geek heaven.

Xavier Jeannin   UREC/CNRS
UniversitÚ P. & M. Curie - Tour 65/66 - 4iŔme Útage
Courrier : case 171
4, place Jussieu - 75252 PARIS CEDEX 05
TÚl : 01 44 27 42 59 - Fax : 01 44 27 42 61
This email is sponsored by:ThinkGeek
Welcome to geek heaven.
Received on 2002-10-13