Thank you so much for posting and for x509 auth. I got it working. For
anyone who finds this. If you're using apache you need to change line 33 in
x509_auth.py from self.ssl_client_raw_cert =
self.request.env.ssl_client_cert
It's the same cert that gets decoded by X509.FORMAT_PEM, but I suspect the
ssl_client_raw_cert variable was for NGINX?
Anyways, thank you so much again. The SSLVerifyClient require and
SSLVerifyDepth were also a help.
Could you tell me how it works on the backend? How will it create user
accounts etc... Some of our users don't have e-mail in their certs so I
have that commented out temporarily while I figure something out.
On Wednesday, March 11, 2015 at 8:05:48 AM UTC-4, mcm wrote:
>
> I am glad someone is using x509 Auth, it is a very simple way to handle
> user security,
>
> One important piece of the puzzle (with apache) is:
>
> SSLVerifyClient optional
>
> The optional allows one to accept any user on the website, while having
> some web2py actions require a valid user certificate
> just by adding the standard @auth.requires_login()
>
> ## Client Authentication (Type):
> # Client certificate verification type and depth. Types are none,
> optional,
> # require and optional_no_ca. Depth is a number which specifies
> how deeply
> # to verify the certificate issuer chain before deciding the
> certificate is
> # not valid.
> #SSLVerifyClient require
> #SSLVerifyDepth 10
>
>
> 2015-03-11 12:27 GMT+01:00 LoveWeb2py <atayl...@gmail.com <javascript:>>:
>
>> Those are exactly the two I don't have so far from the list I saw in
>> another post I have:
>>
>> SSL_CIPHER, SSL_CLIENT_I_DN, SSL_CLIENT_CERT, SSL_CLIENT_VERIFY
>>
>> The following are not being passed (probably a problem with my ssl.conf:
>> SSL_CLIENT_RAW_CERT, SSL_SESSION_ID, SSL_CLIENT_SERIAL
>>
>> Almost there! :) I'll post the fix when I find it
>>
>>
>> On Tuesday, March 10, 2015 at 7:56:45 PM UTC-4, Niphlod wrote:
>>>
>>> debug it, debug it, debug it.
>>>
>>> AFAICS, x509_auth.py requires:
>>>
>>> ssl_client_raw_cert
>>> optional ssl_client_serial
>>>
>>> On Wednesday, March 11, 2015 at 12:04:51 AM UTC+1, LoveWeb2py wrote:
>>>>
>>>> so I did {{=request.env}} and I can see the SSL DATA certificate in
>>>> another app, but for some reason the app that requires the data isn't
>>>> being
>>>> passed. Going to keep troubleshooting that app because I really want to
>>>> use
>>>> the x509 authentication with web2py!!
>>>>
>>>> for some reason the x509 auth isn't working still. Going to keep
>>>> pressing and will post a fix when I find it. Thank you so much for your
>>>> help Niphlod. I hope this helps others in the future!
>>>>
>>>>
>>>>
>>>> On Tuesday, March 10, 2015 at 6:40:29 PM UTC-4, Niphlod wrote:
>>>>>
>>>>> what if you return somewhere this dict (takes the "SSL*" env variables
>>>>> and prints it)
>>>>>
>>>>> def yourcode():
>>>>> .........
>>>>> debug_values = {}
>>>>> for k, v in request.env.iteritems():
>>>>> if k.lower().startswith('ssl'):
>>>>> debug_values[k] = v
>>>>> .........
>>>>> return dict(........., debug_values=debug_values)
>>>>>
>>>>> just to see if those gets indeed passed along.
>>>>>
>>>>> --
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to web2py+un...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
