Re: [mongrel2] Passing peer_cert
- From:
- Arthur Britto
- Date:
- 2011-09-02 @ 23:18
On Fri, Sep 2, 2011 at 3:50 PM, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> On Fri, Sep 02, 2011 at 03:14:07PM -0700, Arthur Britto wrote:
> > For SSL requests, I'd like to make the peer_cert available to my handler.
>
> Do you mean the entire certificate from the SSL client?
I did mean the certificate from the SSL client. I don't need the entire
certificate.
> Can you describe your environment for validating the peer certs? Maybe
> a little filter in Mongrel2 to check the SSL certs could save you a
> bunch of trouble.
I'd like to use the SHA1 fingerprint of the client's DER encoded certificate
to identify and authenticate the client making the connection. I have a
dict of fingerprints to accounts.
This is done to using avoid using solutions such as basic authentication,
open id, session keys, etc. In particular, I want to support the client's
use of self-signed certificates to communicate privately.
$ openssl x509 -in server.crt -fingerprint -noout
SHA1 Fingerprint=9E:D5:9F:B7:13:2D:E9:FE:B6:96:88:95:DE:31:33:BE:31:55:4D:ED
So, perhaps:
x-peer-cert-fingerprint:
9E:D5:9F:B7:13:2D:E9:FE:B6:96:88:95:DE:31:33:BE:31:55:4D:ED
or
x-peer-cert-fingerprint: 9ED59FB7132DE9FEB6968895DE3133BE31554DED
Thank you,
-Arthur
--
Arthur Britto, VP of Business Development
ExchB: 1st Bitcoin Exchange in the US
e-mail: ahbritto@exchb.com <ahbritto@exchangebitcoins.com>
phone: 510-402-5278
fax: 650-521-5693
website: http://exchb.com