Re: ssl client certificates from Vic Bancroft on 2005-02-28 (www-lib@w3.org from January to March 2005)

From: Vic Bancroft <bancroft@america.net>
Date: Sun, 27 Feb 2005 21:50:04 -0500
To: Andrew Steets <steets@gmail.com>
CC: www-lib@w3.org
Message-ID: <422286DC.6080509@america.net>

Andrew Steets wrote:

>here is a preliminary patch against TOT which includes the patch
>I sent out earlier this evening and now has basic support for client
>side certs.  
>
For convenience, I went ahead and checked them in as,

    Checking in configure.ac;
    /sources/public/libwww/configure.ac,v  <--  configure.ac
    new revision: 1.3; previous revision: 1.2
    done
    Checking in Library/src/SSL/HTSSL.c;
    /sources/public/libwww/Library/src/SSL/HTSSL.c,v  <--  HTSSL.c
    new revision: 1.8; previous revision: 1.7
    done
    Checking in Library/src/SSL/windows/wwwssl.def;
    /sources/public/libwww/Library/src/SSL/windows/wwwssl.def,v  <-- 
    wwwssl.def
    new revision: 1.4; previous revision: 1.3
    done
    Checking in Robot/src/HTRobMan.html;
    /sources/public/libwww/Robot/src/HTRobMan.html,v  <--  HTRobMan.html
    new revision: 1.10; previous revision: 1.9
    done
    Checking in Robot/src/Makefile.am;
    /sources/public/libwww/Robot/src/Makefile.am,v  <--  Makefile.am
    new revision: 1.33; previous revision: 1.32
    done
    Checking in Robot/src/RobotMain.c;
    /sources/public/libwww/Robot/src/RobotMain.c,v  <--  RobotMain.c
    new revision: 1.14; previous revision: 1.13
    done

>The webbot now has options
>  
>
Hurrms, I wonder how many options webbot is missing compared to wget . . .

>-verifydepth <n> 
>-sslprot <v1 | v2 |  v23>
>-keyfile <private key filename>
>-certfile <public cert filename>
>  
>
Looking at the options available from the openssl tools, for example
    http://www.openssl.org/docs/apps/s_time.html
We add some aliases to match option syntax,  we might also want to 
consider an appropriate set of defaults, given the way popular 
distributions organize the certs. 

>you can robot all over a server that requires client side certs provided you have the right key/cert files and some knowledge of openssl (to convert your stuff to PEM format if needed).
>  
>
Even though some howto action would turn into an openssl + apache + 
libwww, it might be nice to construct something like the stunnel example,
  http://www.stunnel.org/examples/client_cert.html
Perhaps we can dig some session scrapings from our shell history.

>Let me know what you think.
>  
>
Great work, look forward to the refinements !

more,
l8r,
v

-- 
america sig

Received on Monday, 28 February 2005 03:10:55 UTC