get-client-cert
Applicable in PathCheck-class directives.
The get-client-cert function gets the authenticated
client certificate from the SSL3 session. It can apply to all HTTP methods,
or only to those that match a specified pattern. It only works when SSL is
enabled on the server.
If the certificate is present or obtained from the SSL3 session, the
function returns REQ_NOACTION, allowing the request to
proceed; otherwise, it returns REQ_ABORTED and sets the
protocol status to 403 FORBIDDEN, causing the request to
fail and the client to be given the FORBIDDEN status.
Parameters
The following table describes parameters for the get-client-cert function.
Table 4–24 get-client-cert Parameters
Parameter
|
Description
|
dorequest
|
Controls whether to actually try to get the certificate, or just test
for its presence. If dorequest is absent, the default value
is 0.
-
1 tells the function to redo the SSL3 handshake
to get a client certificate, if the server does not already have the client
certificate. This typically causes the client to present a dialog box to the
user to select a client certificate. The server may already have the client
certificate if it was requested on the initial handshake, or if a cached SSL
session has been resumed.
-
0 tells the function not to redo the SSL3
handshake if the server does not already have the client certificate.
If a certificate is obtained from the client and verified successfully
by the server, the ASCII base64 encoding of the DER-encoded X.509 certificate
is placed in the parameter auth-cert in the Request->vars pblock, and the function returns REQ_PROCEED,
allowing the request to proceed.
|
require
|
Controls whether failure to get a client certificate will abort the
HTTP request. If require is absent, the default value is 1.
-
1 tells the function to abort the HTTP
request if the client certificate is not present after dorequest is
handled. In this case, the HTTP status is set to PROTOCOL_FORBIDDEN,
and the function returns REQ_ABORTED.
-
0 tells the function to return REQ_NOACTION if the client certificate is not present after dorequest is
handled.
|
method
|
(Optional) Specifies a wildcard pattern for the HTTP methods for which
the function will be applied. If method is absent, the
function is applied to all requests.
|
bucket
|
(Optional) Common to all obj.conf functions.
|
Example
# Get the client certificate from the session.
# If a certificate is not already associated with the
# session, request one.
# The request fails if the client does not present a
# valid certificate.PathCheck fn="get-client-cert" dorequest="1"