$Web_Cert_Info

From m204wiki
Revision as of 21:38, 21 February 2011 by Admin (talk | contribs) (1 revision)
Jump to navigation Jump to search

<section begin="desc" />Retrieve client certificate information<section end="desc" />


$Web_Cert_Info retrieves information about the client or certificate signer from a received client certificate.

Syntax

<section begin="syntax" /> %INFO = $Web_Cert_Info( item, level ) <section end="syntax" />


$Web_Cert_Info accepts two arguments, the first one required, and returns a string containing the information associated with the requested item.

For a non-SSL connection or a connection in which the client certificate is optional (SSLCLCERT, not SSLCLCERTR, is set on the JANUS DEFINE): if the client chooses not to send a certificate, $Web_Cert_Info returns a null. Also, if a certificate is received and the requested piece of information is not in the requested level, a null is returned.


item The name of the certificate item to return. These items are described in detail in $Web_Cert_Info.
level The certificate level from which the information is to be returned. Level 0 corresponds to the client or the "subject" of the certificate; level 1 to the "signer" of the certificate; level 2 to the "signer" of the level 1 signer's certificate; and so on. This is an optional parameter, and it defaults to 0.


Notes:

  • Janus Network Security does not accept any client certificates that were not signed by a trusted certifying authority, that is one whose certificate was added to a port with the JANUS ADDCA command. As such, a $Web_Cert_Info for level 1 is guaranteed to return information already in a "known" certifying authority certificate.
  • id=wcirneg.As of Sirius Mods 7.7, if a Janus SSL server program issues $Web_Cert_Info or $WEB_CERT_LEVELS, the returned string will be null if the server port definition includes the SSLCLCERT or SSLCLCERTR parameter. Those JANUS DEFINE parameters cause a request for a client certificate in the initial server-client handshake that establishes the SSL connection. The $Web_Cert_Info or $Web_Cert_Levels call in this case would be a second request for a certificate, and a client certificate may only be requested once for an SSL session (whether or not the request successfully gets a certificate in return). If neither of those JANUS DEFINE parameters are specified, a server's $Web_Cert_Info or $Web_Cert_Levels call will cause an SSL renegotiation (that is, a new handshake) that requests a digital certificate from the client. This allows a port to require a client certificate for some content, but not for other content. In the renegotiation, the server requests a certificate, but does not insist that the client present one. The returned string from the method call may therefore still be null because no certificate was provided. If another function or method causes a renegotiation by requesting a client certificate, a subsequent $Web_Cert_Info or $Web_Cert_Levels call will not cause another request for a client certificate, whether or not a client certificate was returned for the initial renegotiation. This is because:
    • There is no reason a client would not return a certificate on an initial renegotiation, but return a certificate on a later renegotiation.
    • There is no reason a client would return a certificate on an initial renegotiation, then return a different client certificate on a subsequent SSL renegotiation.
h3 listh=on id=certite.Client certificate items The following items can be requested with $Web_Cert_Info: .im crtinf