| author | Matthew Wild <mwild1@gmail.com> |
| Sat, 24 Sep 2022 09:26:26 +0100 | |
| changeset 5063 | 5f1120c284c5 |
| parent 4437 | 0e3f5f70a51d |
| permissions | -rw-r--r-- |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
1 |
--- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
2 |
labels: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
3 |
- 'Stage-Alpha' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
4 |
- 'Type-Auth' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
5 |
summary: Client Certificate authentication module |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
6 |
... |
| 1786 | 7 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
8 |
Introduction |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
9 |
============ |
| 1786 | 10 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
11 |
This module implements PKI-style client certificate authentication. You |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
12 |
will therefore need your own Certificate Authority. How to set that up |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
13 |
is beyond the current scope of this document. |
| 1786 | 14 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
15 |
Configuration |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
16 |
============= |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
17 |
|
| 1786 | 18 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
19 |
authentication = "ccert" |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
20 |
certificate_match = "xmppaddr" -- or "email" |
| 1786 | 21 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
22 |
c2s_ssl = { |
|
1908
5d84b7fbe3aa
mod_auth_ccert/README: It's cafile, not cacert
Kim Alvefur <zash@zash.se>
parents:
1888
diff
changeset
|
23 |
cafile = "/path/to/your/ca.pem"; |
|
1888
153f063c3d1a
mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
24 |
capath = false; -- Disable capath inherited from built-in default |
|
4436
e83284d4d5c2
mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate
Kim Alvefur <zash@zash.se>
parents:
1908
diff
changeset
|
25 |
verify = {"peer"; "client_once"}; -- Ask for client certificate |
|
4437
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4436
diff
changeset
|
26 |
verifyext = { |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4436
diff
changeset
|
27 |
-- Don't validate client certs as if they were server certs |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4436
diff
changeset
|
28 |
lsec_ignore_purpose = false |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4436
diff
changeset
|
29 |
} |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
30 |
} |
| 1786 | 31 |
|
32 |
||
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
33 |
Compatibility |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
34 |
============= |
| 1786 | 35 |
|
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
36 |
----------------- -------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
37 |
trunk Works |
|
1888
153f063c3d1a
mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
38 |
0.10 and later Works |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
39 |
0.9 and earlier Doesn't work |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
40 |
----------------- -------------- |