From raison at chatsubo.net Mon Apr 13 22:28:33 2009 From: raison at chatsubo.net (Kevin Raison) Date: Mon, 13 Apr 2009 15:28:33 -0700 Subject: [drakma-devel] drakma and personal ssl certificates Message-ID: <49E3BC91.8080400@chatsubo.net> Hello. I am using a site for credit card authorization that requires me to send my personal SSL certificate with any POST. I don't see anything in the Drakma documentation about how to go about this; is it possible? I would rather not use curl, but it does have the -E option that allows for sending certificates to the remote host. Any help would be appreciated! Thanks, Kevin Raison From edi at agharta.de Tue Apr 14 06:27:01 2009 From: edi at agharta.de (Edi Weitz) Date: Tue, 14 Apr 2009 08:27:01 +0200 Subject: [drakma-devel] drakma and personal ssl certificates In-Reply-To: <49E3BC91.8080400@chatsubo.net> References: <49E3BC91.8080400@chatsubo.net> Message-ID: On Tue, Apr 14, 2009 at 12:28 AM, Kevin Raison wrote: > Hello. ?I am using a site for credit card authorization that requires me > to send my personal SSL certificate with any POST. ?I don't see anything > in the Drakma documentation about how to go about this; ?is it possible? > ?I would rather not use curl, but it does have the -E option that > allows for sending certificates to the remote host. ?Any help would be > appreciated! I have to admit that I'm not familiar with how this is done in general. Is there an RFC for this or can you point me to some documentation? Thanks, Edi. From raison at chatsubo.net Tue Apr 14 10:06:03 2009 From: raison at chatsubo.net (Kevin Raison) Date: Tue, 14 Apr 2009 03:06:03 -0700 Subject: [drakma-devel] drakma and personal ssl certificates In-Reply-To: References: <49E3BC91.8080400@chatsubo.net> Message-ID: <49E4600B.1000100@chatsubo.net> Edi, basically, the HTTP server forces the client to authenticate itself using a client certificate. I believe RFC2246 describes the process, see http://www.ietf.org/rfc/rfc2246.txt. The patches at http://web.kepibu.org/code/lisp/cl+ssl/ which add client certificate support have already been incorporated into CL+SSL, so it should be relatively easy to add support to Drakma, perhaps by adding client-ssl-certificate and client-ssl-key keywords to http-request and then passing the args to cl+ssl:make-ssl-client-stream in request.lisp. Unless I have missed something and there is a way to do this already, I will experiment and send you a patch. Cheers. Kevin Edi Weitz wrote: > On Tue, Apr 14, 2009 at 12:28 AM, Kevin Raison wrote: >> Hello. I am using a site for credit card authorization that requires me >> to send my personal SSL certificate with any POST. I don't see anything >> in the Drakma documentation about how to go about this; is it possible? >> I would rather not use curl, but it does have the -E option that >> allows for sending certificates to the remote host. Any help would be >> appreciated! > > I have to admit that I'm not familiar with how this is done in > general. Is there an RFC for this or can you point me to some > documentation? > > Thanks, > Edi. > > _______________________________________________ > drakma-devel mailing list > drakma-devel at common-lisp.net > http://common-lisp.net/cgi-bin/mailman/listinfo/drakma-devel > From raison at chatsubo.net Tue Apr 14 10:10:15 2009 From: raison at chatsubo.net (Kevin Raison) Date: Tue, 14 Apr 2009 03:10:15 -0700 Subject: [drakma-devel] drakma and personal ssl certificates In-Reply-To: <49E4600B.1000100@chatsubo.net> References: <49E3BC91.8080400@chatsubo.net> <49E4600B.1000100@chatsubo.net> Message-ID: <49E46107.5020901@chatsubo.net> I think it might be this easy (although I have ignored support for Allegro, given that I can't afford their licensing fees): --- request.lisp.orig 2009-04-14 02:58:20.000000000 -0700 +++ request.lisp 2009-04-14 03:03:15.000000000 -0700 @@ -200,6 +200,8 @@ force-binary want-stream stream + client-ssl-certificate + client-ssl-key #+:lispworks (connection-timeout 20) #+:lispworks (read-timeout 20) #+(and :lispworks (not :lw-does-not-have-write-timeout)) @@ -475,9 +477,15 @@ (socket:make-ssl-client-stream http-stream) #-:allegro (let ((s http-stream)) - (cl+ssl:make-ssl-client-stream - (cl+ssl:stream-fd s) - :close-callback (lambda () (close s))))))) + (if (and client-ssl-certificate client-ssl-key) + (cl+ssl:make-ssl-client-stream + (cl+ssl:stream-fd s) + :certificate client-ssl-certificate + :key client-ssl-key + :close-callback (lambda () (close s))) + (cl+ssl:make-ssl-client-stream + (cl+ssl:stream-fd s) + :close-callback (lambda () (close s)))))))) (cond (stream (setf (flexi-stream-element-type http-stream) #+:lispworks 'lw:simple-char #-:lispworks 'character I will test this as soon as I get my client certificate from the credit card processor. Cheers. Kevin Raison Kevin Raison wrote: > Edi, basically, the HTTP server forces the client to authenticate itself > using a client certificate. I believe RFC2246 describes the process, > see http://www.ietf.org/rfc/rfc2246.txt. The patches at > http://web.kepibu.org/code/lisp/cl+ssl/ which add client certificate > support have already been incorporated into CL+SSL, so it should be > relatively easy to add support to Drakma, perhaps by adding > client-ssl-certificate and client-ssl-key keywords to http-request and > then passing the args to cl+ssl:make-ssl-client-stream in request.lisp. > Unless I have missed something and there is a way to do this already, > I will experiment and send you a patch. > > Cheers. > Kevin > > > Edi Weitz wrote: >> On Tue, Apr 14, 2009 at 12:28 AM, Kevin Raison wrote: >>> Hello. I am using a site for credit card authorization that requires me >>> to send my personal SSL certificate with any POST. I don't see anything >>> in the Drakma documentation about how to go about this; is it possible? >>> I would rather not use curl, but it does have the -E option that >>> allows for sending certificates to the remote host. Any help would be >>> appreciated! >> I have to admit that I'm not familiar with how this is done in >> general. Is there an RFC for this or can you point me to some >> documentation? >> >> Thanks, >> Edi. >> >> _______________________________________________ >> drakma-devel mailing list >> drakma-devel at common-lisp.net >> http://common-lisp.net/cgi-bin/mailman/listinfo/drakma-devel >> > > _______________________________________________ > drakma-devel mailing list > drakma-devel at common-lisp.net > http://common-lisp.net/cgi-bin/mailman/listinfo/drakma-devel > From edi at agharta.de Tue Apr 14 11:07:28 2009 From: edi at agharta.de (Edi Weitz) Date: Tue, 14 Apr 2009 13:07:28 +0200 Subject: [drakma-devel] drakma and personal ssl certificates In-Reply-To: <49E46107.5020901@chatsubo.net> References: <49E3BC91.8080400@chatsubo.net> <49E4600B.1000100@chatsubo.net> <49E46107.5020901@chatsubo.net> Message-ID: On Tue, Apr 14, 2009 at 12:10 PM, Kevin Raison wrote: > I think it might be this easy (although I have ignored support for > Allegro, given that I can't afford their licensing fees): Thanks. Support for LispWorks would be fine, though. And we'll also need updated docstrings and HTML documentation. http://weitz.de/patches.html Cheers, Edi.