[racket] openssl - authenticating clients via certificates

From: Curtis Dutton (curtdutt at gmail.com)
Date: Fri Feb 25 15:00:26 EST 2011

Ok so I have made some changed to the ssl code and have something working
now (openssl collection). Open ssl supports a "try verify" mode that will
still accept an ssl connection even if a client cannot provide a valid
certificate. This allows me to support the scenario of a public https usage
for anonymous users, and allows my webserver to also verify clients with
approved certficates.

I'd like to solicit any thoughts/advice on my api additions.

*ssl-try-verify!* - identical to ssl-set-verify! however it will try to
verify if possible but still allow the connection to proceed if verification
fails
*ssl-peer-verified?* - given an ssl port determines if the remote peer of a
specific ssl port was verified
*ssl-peer-subject-name* - given an ssl port returns a string that is the
full subject name of the certificate issued by the peer or false if the peer
is unverified
*ssl-peer-issuer-name* - given an ssl port returns a string that is the full
certificate name of the certificate issued by the peer or false if the peer
is unverified

I would ultimately like to integrate these changes back into racket. This
would be my first time contributing to racket. What is the next step to
getting these changes integrated?



Now finally.

Some errors related to chrome and safari. When using those browsers to
connect to my server (also repros with the stock ssl racket collection) I
see a lot of these...

"Connection error: ssl-accept/enable-break: accept failed (input terminated
prematurely)"

however the browsers behave as if everything is working correctly. Sound
like a familiar issue to anyone?


Thanks,
    Curtis

On Wed, Jan 5, 2011 at 7:37 AM, Curtis Dutton <curtdutt at gmail.com> wrote:

> I am interested in implementing authentication via client browser
> certificates with a racket webserver.
>
> I have a small online store website that has both a public side, for
> anybody, and a set of pages that are private for the management interface of
> that website.
>
> But I don't like the risk of only using a password to access the admin
> side. I'd like to be able to issue certificates to my client's browsers such
> that only a set few computers on their business premises can access the
> admin interface and ultimately get to sensitive customer information.
>
> Something nice to have would also be the ability to blacklist certificates
> (similar to how OpenVPN can reject specific user's certificates) just in
> case a certificate ever became compromised.
>
>
> Has anybody figured out a way to do this yet?
>
>  I am willing to volunteer some effort to help implement. Any pointers on
> where to get started, design considerations, etc... are appreciated if that
> is the case.
>
>
> Thanks,
>       Curtis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20110225/cc856bce/attachment.html>

Posted on the users mailing list.