Pathfinder and Apache

What is it?

Our open-source Pathfinder library allows applications to easily perform RFC3280-compliant path validation of X.509 certificates.

We've created a patch for the Apache web server that allows it to use Pathfinder to validate client certificates. Policy mapping, policy constraints, and name constraints are all handled transparently. Moreover, this patch allows Apache to perform real-time CRL-checking of client certificates without needing to restart the web server.

Current Status:

Pathfinder and this patch for Apache are presently under active development.

Download:

Patch:httpd-2.2.8-pathfinder-20080325.diff.gz

Instructions:

• Make sure you have the WvStreams 4.4 library installed.
• Make sure you have Pathfinder 0.2.4 and libpathfinder-openssl installed and appropriately configured.
• Make sure you have pkg-config installed, and that it knows about libpathfinder.
• Apply the patch to a clean httpd-2.2.8 or 2.2.6 (or even 2.2.4, though it's been deprecated) build tree.
• Run "buildconf".
• When running "./configure", specify "--with-pathfinder".
• Compile and install apache.
• Enable pathfinder with the "SSLPathfinder on" command in the apache server configuration. A target policy OID can be specified using the "SSLPathfinderPolicy" command.

Need Help?

Let us know!