mod_auth_ccert/README: Add certificate purpose conifg to example
Thanks debacle
By default Prosody validates all client certificates as if they were
server certificates, for historical reasons, from a time when you
couldn't get certificates with the client purpose.
--- a/mod_auth_ccert/README.markdown Sat Feb 06 21:34:25 2021 +0100
+++ b/mod_auth_ccert/README.markdown Sat Feb 06 22:15:08 2021 +0100
@@ -23,6 +23,10 @@
cafile = "/path/to/your/ca.pem";
capath = false; -- Disable capath inherited from built-in default
verify = {"peer"; "client_once"}; -- Ask for client certificate
+ verifyext = {
+ -- Don't validate client certs as if they were server certs
+ lsec_ignore_purpose = false
+ }
}