Hello all,



I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory

that--via some Apache directives--forces client SSL connections and client cert

authentication.  So, the SOAP client connects, we exchange certs, exchange SOAP

messages, and go on our merry ways.



After the client authN, I would like to add client authZ by getting a handle on

the cert, extracting it's IP address (or any other cert attributes), and

comparing that against a list of "allowed" IPs.  I could simply add the

appropriate directives to the .htaccess file (i.e. make Apache do the check),

but I'd like to do this check for each CGI SOAP server in the directory, because

each server offers a different set of SOAP services, and different clients

should be authZ'ed for only certain services.



Any thoughts?  Does SOAP::Transport::HTTP provide access to client certs?  Am I

going about this the wrong way?



Thanks for any input, or especially pointers to code examples, etc.

--

Trevor Leffler, Software Developer

PETTT / Ed-Tech Development Group

Educational Partnerships & Learning Technologies

University of Washington

(206) 616-3406 / OUGL 230, Box 353080

On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:

> I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory

> that--via some Apache directives--forces client SSL connections and client

cert

> authentication.  So, the SOAP client connects, we exchange certs, exchange

SOAP

> messages, and go on our merry ways.

>

> After the client authN, I would like to add client authZ by getting a handle

on

> the cert, extracting it's IP address (or any other cert attributes), and

> comparing that against a list of "allowed" IPs.  I could simply add the

> appropriate directives to the .htaccess file (i.e. make Apache do the check),

> but I'd like to do this check for each CGI SOAP server in the directory,

because

> each server offers a different set of SOAP services, and different clients

> should be authZ'ed for only certain services.



I'm not an expert, so it's quite likely I'm wrong, but it sounds

like this isn't particular to SOAP::Lite at all. It seems like

apache creates a bunch of environment variables for HTTPS

connections that you can access and may be useful.



http://www.apache-ssl.org/docs.html#CGI



Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if

you don't want the DN.



I'm also confused by the whole IP issue. It would seem me that if

you want to restrict based on IP, you can use the standard CGI

environment variables for the remote host (REMOTE_ADDR) and not

trouble yourself with the SSL certificate at all. However, if

you're using the SSL certificates for authentication (so that IP

addresses don't matter) then you probably want to look at the

certificate chain to make sure it terminates in a trusted source

and the DN is authorized.



HTH,

-Pablo

Pablo Averbuj wrote:

> On Wed, Apr 30, at 01:05PM, Trevor Leffler wrote:

>

>>I've got a SOAP::Lite "server" (just a CGI, really) that lives in a directory

>>that--via some Apache directives--forces client SSL connections and client

cert

>>authentication.  So, the SOAP client connects, we exchange certs, exchange

SOAP

>>messages, and go on our merry ways.

>>

>>After the client authN, I would like to add client authZ by getting a handle

on

>>the cert, extracting it's IP address (or any other cert attributes), and

>>comparing that against a list of "allowed" IPs.  I could simply add the

>>appropriate directives to the .htaccess file (i.e. make Apache do the check),

>>but I'd like to do this check for each CGI SOAP server in the directory,

because

>>each server offers a different set of SOAP services, and different clients

>>should be authZ'ed for only certain services.

>

>

> I'm not an expert, so it's quite likely I'm wrong, but it sounds

> like this isn't particular to SOAP::Lite at all. It seems like

> apache creates a bunch of environment variables for HTTPS

> connections that you can access and may be useful.

>

> http://www.apache-ssl.org/docs.html#CGI

>

> Particularly either the SSL_CLIENT_I_DN or the SSL_CLIENT_CERT if

> you don't want the DN.

>

> I'm also confused by the whole IP issue. It would seem me that if

> you want to restrict based on IP, you can use the standard CGI

> environment variables for the remote host (REMOTE_ADDR) and not

> trouble yourself with the SSL certificate at all. However, if

> you're using the SSL certificates for authentication (so that IP

> addresses don't matter) then you probably want to look at the

> certificate chain to make sure it terminates in a trusted source

> and the DN is authorized.

>

> HTH,

> -Pablo



Just wanted to tie this thread up.  Yes, you are right: certificate information

(e.g. DN, CN) is available to Apache, and to CGI program via env vars.  And,

this happens at the security (SSL) level, which doesn't really include SOAP

(ignoring the various SOAP-sec standards in the works).  So, my authN/authZ

steps can be handled by either apache directives or my CGIs before the SOAP

request is handled.



Also, you're right about the IP/cert confusion--IP restriction can be

unnecessarily restrictive or just plain unnecessary, and actually has little to

do with certs.  I would really be checking the cert's CN or DN against a known

list.



Thanks for the input,

Oh, and sorry for cluttering the list with SSL stuff.  Perhaps it'll help out

the next guy, tho...  ;)

--Trevor