Ok so I have made some changed to the ssl code and have something working now (openssl collection). Open ssl supports a "try verify" mode that will still accept an ssl connection even if a client cannot provide a valid certificate. This allows me to support the scenario of a public https usage for anonymous users, and allows my webserver to also verify clients with approved certficates.<div>
<br></div><div>I'd like to solicit any thoughts/advice on my api additions.</div><div><br></div><div><b>ssl-try-verify!</b> - identical to ssl-set-verify! however it will try to verify if possible but still allow the connection to proceed if verification fails</div>
<div><b>ssl-peer-verified?</b> - given an ssl port determines if the remote peer of a specific ssl port was verified</div><div><b>ssl-peer-subject-name</b> - given an ssl port returns a string that is the full subject name of the certificate issued by the peer or false if the peer is unverified</div>
<div><b>ssl-peer-issuer-name</b> - given an ssl port returns a string that is the full certificate name of the certificate issued by the peer or false if the peer is unverified</div><div><br></div><div><div>I would ultimately like to integrate these changes back into racket. This would be my first time contributing to racket. What is the next step to getting these changes integrated?</div>
<div><br></div><div><br></div><div><br></div><div>Now finally. </div><div><br></div><div>Some errors related to chrome and safari. When using those browsers to connect to my server (also repros with the stock ssl racket collection) I see a lot of these... </div>
<div><br></div><div>"Connection error: ssl-accept/enable-break: accept failed (input terminated prematurely)"</div><div><br></div><div>however the browsers behave as if everything is working correctly. Sound like a familiar issue to anyone?</div>
<div><br></div><div><br></div><div>Thanks,</div><div> Curtis</div><div><br><div class="gmail_quote">On Wed, Jan 5, 2011 at 7:37 AM, Curtis Dutton <span dir="ltr"><<a href="mailto:curtdutt@gmail.com">curtdutt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I am interested in implementing authentication via client browser certificates with a racket webserver.<div><br></div>
<div>I have a small online store website that has both a public side, for anybody, and a set of pages that are private for the management interface of that website.</div>
<div><br></div><div>But I don't like the risk of only using a password to access the admin side. I'd like to be able to issue certificates to my client's browsers such that only a set few computers on their business premises can access the admin interface and ultimately get to sensitive customer information. </div>
<div><br></div><div>Something nice to have would also be the ability to blacklist certificates (similar to how OpenVPN can reject specific user's certificates) just in case a certificate ever became compromised.</div>
<div><br></div><div><br></div><div>Has anybody figured out a way to do this yet?</div><div><br></div><div> I am willing to volunteer some effort to help implement. Any pointers on where to get started, design considerations, etc... are appreciated if that is the case.</div>
<div><br></div><div><br></div><div>Thanks,</div><div> Curtis</div>
</blockquote></div><br></div></div>