Summary: | SSL VerifyClient with POST would be useful | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | phenyyoung <phenyyoung> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | jimc |
Priority: | P3 | ||
Version: | 2.0.39 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
phenyyoung
2003-03-27 03:49:03 UTC
Agreed - sorry, but this is not yet implemented. Mechanically, the server must slurp up the whole POST body, then talk the client into renegotating. connection: upgrade tls would help enormously, but 5 years later we are only now implementing it - and it will take some time for any clients to jump on board. So I guess Apache 2.0 just can't be used to implement any web services who want to do SSL-based authentication? Here's the scenario where getting the SSL info on a post is absolutely critical: Say I want to make a web service application which clients can call to check on their order status (e.g., processing, shipped, etc.). I have a MySQL database which stores all the customer data (IDs, SSL public keys, etc.). Clients call an XML-RPC method to determine their order status. I want to be able to look up their customer ID based on the SSL cert they're using so I can issue the appropriate response. Pretty simple, right? XML-RPC (and SOAP) are both POST-based. That means if the client calls the XML-RPC method, I have no way of getting at the SSL cert that the client is using, and therefore, cannot validate it with the one I have in the database. This kind of authentication isn't necessarily all that commonplace in a user-driven application, but is quite necessary for use in the world of web services. Is there a workaround in the mean time? Does this work in 1.x? *** Bug 24725 has been marked as a duplicate of this bug. *** This issue is being tracked by bug 12355; reopening to mark as duplicate. |