Supporting TLS client certificate in PHP?

Remco me at rwv.io
Mon Dec 21 10:35:36 GMT 2020

Previous message (by thread): Supporting TLS client certificate in PHP?
Next message (by thread): [ANN] SmolNetSharp - C# library for building Gemini/Gopher clients
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2020/12/21 10:42, Côme Chilliet:

> Current PHP cannot do that. Not sure what would be the best API for
> this feature if it was added. Most likely a new context option for ssl
> which says the client cert is optional. I guess to be complete it
> would allow disabling client cert validation all together, or only
> when client cert is absent.
>
> An other solution is to allow PHP code to set its own callback, but it
> seems to be dangerous and hard to use.

I feel your pain, client certs seem to be not very widely used so a lot
for platforms don't support them out of the box.  For dʒɛmɪni, I
have/had a similar problem with racket, its standard ssl implementation
does not handle client certificates at all, so I ended up breaking it
open and allowing SSL_CTX_set_verify to be set with SSL_VERIFY_PEER.

Access to the actual client certificate from the connection context
turned out a lot harder in openssl racket setup, so, yes, I went with
dangerous and hard (passing certificate info through a thread local).  I
already had fiddle with thread locals to do SNI (another thing
apparently not very popular in racket) so I kinda got used to that..

For details see:

  https://git.sr.ht/~rwv/dezhemini/tree/client-cert/item/openssl-extra.rkt

and search for verify-callback in:

  https://git.sr.ht/~rwv/dezhemini/tree/client-cert/item/dezhmnsrv.rkt

Cheers,
R.

Previous message (by thread): Supporting TLS client certificate in PHP?
Next message (by thread): [ANN] SmolNetSharp - C# library for building Gemini/Gopher clients
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list