[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: web apps and client certificate authentication

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: web apps and client certificate authentication
From: Howard Chu <hyc@symas.com>
Date: Sat, 24 Jan 2009 16:00:14 -0800
Cc: Kurt Zeilenga <Kurt@openldap.org>, Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
In-reply-to: <1iu2khj.cv3corxy9s8pM%manu@netbsd.org>
References: <1iu2khj.cv3corxy9s8pM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1b3pre) Gecko/20090115 SeaMonkey/2.0a1pre Firefox/3.0.3

Emmanuel Dreyfus wrote:

Michael Ströder<michael@stroeder.com>  wrote:

Yes. However in theory the web app could run within a custom HTTP server
and intercept the SSL/TLS handshake.


In fact I thought a bit more about it and I do not think it can work: if
the HTTP server intercepts the SSL handshake and proxy it to slapd, then
the SSL connexion will be between the web browser and slapd. The HTTP
server will not be able to handle the request.

In fact we would need a double SSL handshake: one with the HTTP server
and another one with slapd, proxyied by the HTTP server. I am not even
sure it is possible.

Yes, now you see why the steps here

http://www.openldap.org/lists/openldap-technical/200901/msg00037.html

are necessary. You need secure handshakes between all three parties, and secure credentials that all three parties can trust.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Re: web apps and client certificate authentication
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: web apps and client certificate authentication
Next by Date: Syslog and symas openldap
Index(es):
- Chronological
- Thread