[Modules] mod_gnutls support for looking up SRP user params in SQL DB (e.g., GNUTLSSRPPasswdQuery)

Quinn Slack sqs at cs.stanford.edu
Wed Apr 27 20:13:20 EDT 2011 

Right now, mod_gnutls uses a flat-file SRP verifier to store SRP user
params for TLS-SRP. I would like to implement a database backend
similar to mod_authn_dbd so that mod_gnutls can query an SQL database
for a user's SRP parameters.

This would let mod_gnutls integrate well with Web apps that already do
their own user management. I already have a TLS-SRP WordPress
plugin[1] and Django app[2] that would benefit greatly from this
feature. Currently, I have to modify the SRP passwd file and keep it
in sync with the apps' own user DBs, which is a pain and would not
scale (due to flat-file concurrency issues). With something like
GNUTLSSRPPasswdQuery, however, it would be very easy for these apps to
use TLS-SRP. It would be a great use case for mod_gnutls, too: site
owners could enable SSL on WordPress and Django just by installing
mod_gnutls and my plugins, with no certficate needed.

For example, instead of just being able to specify:
GnuTLSSRPPasswdFile /path/to/passwd.srpv

I would like to be able to specify something like:
DBDriver mysql
DBDParams "dbname=srpauth user=apache password=xxxxxx"
DBDPrepareSQL "SELECT srpN, srpg, srpv, srps FROM srpusers WHERE user
= %s" srp_lookup_user
GNUTLSSRPPasswdQuery srp_lookup_user

Unfortunately, mod_authn_dbd (or other mod_authn_*) can't be used
directly (without patches to Apache httpd core), since
AuthDBDUserPWQuery, AuthUserFile, etc., are only valid in directory
configs. Also, they only expose functions for looking up HTTP Basic
and Digest values. In the longer term, I would like to make them
usable for TLS SRP/PAKE authentication (by both mod_gnutls and
mod_ssl[3]) by adding a srp_lookup_user function. That'll take a long
time, however.

I am prepared to submit a patch that implements the
GNUTLSSRPPasswdQuery feature in the next couple of weeks, but I wanted
to solicit feedback on (1) whether this is the best way to do this and
(2) if the mod_gnutls maintainers would accept this patch, even though
it slightly (and unavoidably, without httpd core changes) duplicates
mod_authn_dbd.

[1] http://trustedhttp.org/wiki/TLS-SRP_Authentication_in_WordPress
[2] http://trustedhttp.org/wiki/TLS-SRP_in_Django
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Apache_mod_ssl

-Quinn

More information about the Modules mailing list