Software / code / prosody-modules
Annotate
mod_auth_ccert/README.markdown @ 5416:2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.
Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.
On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 04 May 2023 18:41:33 +0200 |
| parent | 4433:0e3f5f70a51d |
| rev | line source |
|---|---|
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
3 - 'Stage-Alpha' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 - 'Type-Auth' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
5 summary: Client Certificate authentication module |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
6 ... |
| 1782 | 7 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
8 Introduction |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 ============ |
| 1782 | 10 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
11 This module implements PKI-style client certificate authentication. You |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
12 will therefore need your own Certificate Authority. How to set that up |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
13 is beyond the current scope of this document. |
| 1782 | 14 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
15 Configuration |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
16 ============= |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 |
| 1782 | 18 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 authentication = "ccert" |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 certificate_match = "xmppaddr" -- or "email" |
| 1782 | 21 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
22 c2s_ssl = { |
|
1904
5d84b7fbe3aa
mod_auth_ccert/README: It's cafile, not cacert
Kim Alvefur <zash@zash.se>
parents:
1884
diff
changeset
|
23 cafile = "/path/to/your/ca.pem"; |
|
1884
153f063c3d1a
mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
24 capath = false; -- Disable capath inherited from built-in default |
|
4432
e83284d4d5c2
mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate
Kim Alvefur <zash@zash.se>
parents:
1904
diff
changeset
|
25 verify = {"peer"; "client_once"}; -- Ask for client certificate |
|
4433
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4432
diff
changeset
|
26 verifyext = { |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4432
diff
changeset
|
27 -- Don't validate client certs as if they were server certs |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4432
diff
changeset
|
28 lsec_ignore_purpose = false |
|
0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents:
4432
diff
changeset
|
29 } |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
30 } |
| 1782 | 31 |
| 32 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
33 Compatibility |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
34 ============= |
| 1782 | 35 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
36 ----------------- -------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
37 trunk Works |
|
1884
153f063c3d1a
mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
38 0.10 and later Works |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
39 0.9 and earlier Doesn't work |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
40 ----------------- -------------- |
