Re: web apps and client certificate authentication

[Michael Ströder <michael@stroeder.com>]

Emmanuel Dreyfus wrote:
> There is no way for a web app, (for instance written in PHP) to perform
> an SSL handshake with the browser. Apache does it, all it can do is to
> hand the client credentials to the web app, which executes after the SSL
> handshake took place.

Yes. However in theory the web app could run within a custom HTTP server
and intercept the SSL/TLS handshake.

> I see a solution, though. When doing HTTP authentication using LDAP,
> Apache performs a ldap_bind using credentials given by the client.

Are you talking about HTTP basic authentication. Yes, then the web
server gets the clear-text password and the web app can access it too.

> For
> now the LDAP handle obtained from ldap_bind is just forgotten. Apache
> could keep it and make it available to other modules (like mod_php) for
> them to perform LDAP operations on behalf of the client.

With HTTP basic authc you can get the clear-text password from env var
REMOTE_PASSWORD. But you will not gain anything and it's better to
implement form based password input since the browser caches the HTTP
basic authc credentials.

> That would require 3 modifications
> 1) implement x509 certificate authentication in Apache runtime library
> (it only does ldap_bind_s using login/password for now)
> 2) save the LDAP handle somewhere
> 3) add a ldap_bind_preauth() function in mod_php so that PHP code can
> get the LDAP handle

I don't fully understand your approach. How is the LDAP bind supposed to
work end-to-end with your approach?

Ciao, Michael.