Forum OpenACS Q&A: Client side SSL with AOLServer

I'm looking at different credit card payment gateways. One of the gateways uses the HTTP POST method over a SSL connection to do the credit card verification. The verification can be done in two ways:

1. Redirect the user to the payment gateway's secure website.
2. The server opens a SSL connection to the payment gateway.

The advantage of #1 is that it is simple to implement. However, disadvantage is that your customer gets shuttled to another site to complete the transaction. Since verification service uses form fields, a sophisticated user can edit those fields before transmitting.

Method #2 seems like the best solution because it keeps full control of the transaction on the server side.

It doesn't look like AOLServer has this ability. I believe Lars Pinds has a hack to do this but it requires using a Perl script.

Does anyone know if there is a AOLServer module that will perform this functionality? If not, how difficult would it be to write an AOLServer module to do this? My first guess is that it would require quite a bit of work and knowledge of the OpenSSL libraries.

I'd appreciate any input you guys might have. If it isn't too difficult, I might try to create this module.

Thanks.

I agree this new release looks very good. Thanks Scott! Now AOLserver is a general purpose Secure Server Platform(tm). Can ns_openssl_socklisten validate client certs? Also, is there any easy way to extend the code so that more than one server certificate can be used, depending on the domain name?