Bug 18395 - SSL VerifyClient with POST would be useful
Summary: SSL VerifyClient with POST would be useful
Status: RESOLVED DUPLICATE of bug 12355
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.39
Hardware: PC All
: P3 normal with 2 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
: 24725 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-03-27 03:49 UTC by phenyyoung
Modified: 2004-11-16 19:05 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description phenyyoung 2003-03-27 03:49:03 UTC
SSLVerifyClient directive in location make post to Web application impossible
Comment 1 William A. Rowe Jr. 2003-04-08 06:58:38 UTC
  Agreed - sorry, but this is not yet implemented.

  Mechanically, the server must slurp up the whole POST body, then talk the
  client into renegotating.

  connection: upgrade tls would help enormously, but 5 years later we are only
  now implementing it - and it will take some time for any clients to jump
  on board.
Comment 2 Matthew Bogosian 2003-11-17 01:13:51 UTC
So I guess Apache 2.0 just can't be used to implement any web services who want
to do SSL-based authentication? Here's the scenario where getting the SSL info
on a post is absolutely critical:

Say I want to make a web service application which clients can call to check on
their order status (e.g., processing, shipped, etc.). I have a MySQL database
which stores all the customer data (IDs, SSL public keys, etc.). Clients call an
XML-RPC method to determine their order status. I want to be able to look up
their customer ID based on the SSL cert they're using so I can issue the
appropriate response. Pretty simple, right?

XML-RPC (and SOAP) are both POST-based. That means if the client calls the
XML-RPC method, I have no way of getting at the SSL cert that the client is
using, and therefore, cannot validate it with the one I have in the database.

This kind of authentication isn't necessarily all that commonplace in a
user-driven application, but is quite necessary for use in the world of web
services.

Is there a workaround in the mean time? Does this work in 1.x?
Comment 3 Mads Toftum 2003-11-17 03:27:13 UTC
*** Bug 24725 has been marked as a duplicate of this bug. ***
Comment 4 Joe Orton 2004-06-03 09:11:16 UTC
This issue is being tracked by bug 12355; reopening to mark as duplicate.
Comment 5 Joe Orton 2004-06-03 09:11:53 UTC

*** This bug has been marked as a duplicate of 12355 ***