get-client-cert
Applicable in PathCheck-class directives.
The get-client-cert function gets the authenticated
client certificate from the SSL3 session. The function can apply to
all HTTP methods, or only to those that match a specified pattern.
The function only works when SSL is enabled on the server.
If the certificate is present or obtained from the SSL3 session,
the function returns REQ_NOACTION, allowing the
request to proceed. Otherwise, the function returns REQ_ABORTED and
sets the protocol status to 403 FORBIDDEN, causing
the request to fail and the client to be given the FORBIDDEN status.
Parameters
The following table describes parameters for the get-client-cert function.
Table 5–62
get-client-cert Parameters
Parameter
|
Description
|
dorequest
|
Controls whether to try to get the certificate or just test
for its presence. If dorequest is absent, the default
value is 0.
-
1 tells the function to redo the
SSL3 handshake to get a client certificate, if the server does not
already have the client certificate. This action typically causes
the client to present a dialog box to the user to select a client
certificate. The server might already have the client certificate
if it was requested on the initial handshake, or if a cached SSL session
has been resumed.
-
0 tells the function not to redo
the SSL3 handshake if the server does not already have the client
certificate.
If a certificate is obtained from the client
and verified successfully by the server, the ASCII base64 encoding
of the DER-encoded X.509 certificate is placed in the parameter auth-cert in the Request->vars pblock,
and the function returns REQ_PROCEED, allowing
the request to proceed.
|
require
|
Controls whether failure to get a client certificate will abort
the HTTP request. If require is absent, the default
value is 1.
-
1 tells the function to abort the
HTTP request if the client certificate is not present after dorequest is handled. In this case, the HTTP status is set to PROTOCOL_FORBIDDEN, and the function returns REQ_ABORTED.
-
0 tells the function to return REQ_NOACTION if the client certificate is not present after dorequest is handled.
|
method
|
(Optional) Specifies a wildcard pattern for the HTTP methods
for which the function will be applied. If method is
absent, the function is applied to all requests.
|
bucket
|
(Optional) Common to all obj.conf functions.
|
Example
# Get the client certificate from the session.
If a certificate is not already associated with the session, request one.
The request fails if the client does not present a valid certificate.
PathCheck fn="get-client-cert" dorequest="1"
|