Hello,

I have http based administration interface of tool X that does not know 
anything about https or client certificates. I need to share this 
interface safely with several people located in various parts of the 
globe. I cannot use restrictions based on IP addresses since they are 
not static. I also do not have source for tool X so I cannot add code 
for checking the X-SSL-* headers. Can Pound handle all the https stuff 
with checking the client certificates for me so I can ise it as a proxy 
for tool X? I searched the FAQ and the mailing list archives but 
couldn't find definite answer.

Can I use the HTTPSHeaders directive combined with HeadRequire directive 
to do all the checking of the certificates in the Pound itself?

Thanks for your reply.

Frantisek

On Monday 19 July 2004 17.43, Frantisek Dufka wrote:[...]

Pound will check your client certificates, but you are mixing up two separate 
issues here:

- Pound can verify the validity of the certificate presented by the client: it 
can be used to allow only clients that present a certificate, or only clients 
that present certificates issued by certain CAs.

- The above has nothing to do with identification: the fact that your client 
presents a certificate does not tell you who it actually is.
[...]

Yes.
[...]

If the above checks are enough for you then you are set. If your application 
asks the users for a password the problem is solved, otherwise you will need 
to modify the application - it should either look at the X-SSL-* headers or 
do basic authentication (which would go through HTTPS). Only you can decide 
what the security requirements are.[...]

Hello Robert,

thanks for the answers. It's true that I misused the term 'checking the 
client certificates' a bit. I was thinking about veryfying the 
certificate as well as checking that the certificate is issued by our 
CA. In that case this means for me also some level of identification and 
authentification. The fact that the client presents a certificate from 
our CA does tell me that it is someone who received it (hopefully from 
us :-). Combined with password authentification this should be enough 
for me.

My main motivation is that I want to make tool X accessible only for 
some people and also (since I don't have source for tool X) I want to be 
protected from possible bugs and backdoors in this tool. Therefore the 
best would be to filter the unauthorized TCP connections at the Pound 
level without letting everyone to connect to the tool X directly.

If I understood it correctly this scenario can be realized with Pound in 
a following way. Can you please comment on the exact syntax or proper 
usage of the directives? The man page and the FAQ seems to be a bit 
vague on this issue.

CAlist - have only our CA in the list

HTTPSHeaders 2 "X-SSL-*" - can I use the wildcards or have a comma 
separated list or multiple directives with specific X-SSL- header names?

HeadRemove "X-SSL-*" - can I use the wildcards?

And optionally also
HeadRequire "X-SSL-serial" "certificate serial"
or
HeadRequire "X-SSL-certificate" "Full client ceritificate in multiline 
PEM format" -
for checking the specific certificate. Can this work?

Frantisek