Re: htts SSLRequire feature
Date: Sun, 13 Oct 2002 13:37:08 +0200
Thank you very much for your opinion
>I doubt you can do that. It would seem a bit strange that any server could
>steal the client's certificates at will.
I agree with you, it seems strange that a server can steal a ssl connection.
>Aaaah! Well of course. Your program that runs the curl stuff doesn't have/use
>the correct/required certificate in order to be allowed to operatate against
I will try a new idea.
Perhaps, I can generate a special certificate on my server that can be send by
the program (logcertif.php) that runs the curl stuff to the apache server.
I configure apache to accept this special certificate and I hope "logcertif.php"
will success to connect to the server.
Once again, thank you for your help.
Daniel Stenberg wrote:
> On Sun, 13 Oct 2002, Xavier Jeannin wrote:
> > My purpose :
> > I want a user (browser) can directly connect in a Web application on a
> > server that I contol using only their certificat.
> I follow. You want the user to connect to a web app using a certificate.
> > Every Web application (like TUTOS) possess a table of account for the
> > people that access to this application.
> That makes sense.
> > So a person has to supply a Login and a password for every Web application
> > that she can use.
> > As I can verify the certificat of person directly on my Web server and so I
> > can authenticate this person. In fact, I try to suppress the login task
> > into the Web application for the user.
> You mean into *other* web applications?
> > I have done a program "logcertif.php" (PHP but It can be in other langage
> > if it needs) that simulate the login into the Web application TUTOS.
> > This program is in the same directory of the Web application TUTOS on the
> > same Web server, so TUTOS and "logcertif.php" are submitted to the same
> > verification from the web server.
> Ok, so your PHP program and the TUTOS web app are on the same server. I don't
> see how that makes a difference though.
> > my program :
> [ PHP program operating on a HTTPS page cut out ]
> > If my apache configuration is :
> > it works fine (it was what I called only SSL)
> > If my apache configuration is :
> > my program 'logcertif.php' does not work, all others programs work fine in
> > this case
> So, this Apache config sets up a more restrictive access to your web app. And
> then your web app using curl stops to work?
> Again, I really can't see how this can be curl's fault.
> > When you connect to "logcertif.php", apache verify the certificat and run
> > logcertificate.php but the connection to
> > "https://www.myserver.com/tutos/php/mytutos.php" failed.
> > SSL said that the expression " m/xavier.jeannin_at_urec.cnrs.fr/i" is not
> > matched.
> Aaaah! Well of course. Your program that runs the curl stuff doesn't have/use
> the correct/required certificate in order to be allowed to operatate against
> the server.
> > Can get the information used for the first conection about the certificat
> > and send in my program logcertif.php for the second connection ?
> I doubt you can do that. It would seem a bit strange that any server could
> steal the client's certificates at will.
> > In other word, is it possible the certificate follow in the second
> > connection ? Do you know if it is possible to do such connection ?
> I'm not an SSL guru, but I think you need to find a different way to solve
> this problem.
> Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
-- ________________________________________________________________________________________ Xavier Jeannin UREC/CNRS Université P. & M. Curie - Tour 65/66 - 4ième étage Courrier : case 171 4, place Jussieu - 75252 PARIS CEDEX 05 Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 Xavier.Jeannin_at_urec.cnrs.fr _________________________________________________________________________________________ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sfReceived on 2002-10-13