Annotate

mod_auth_ccert/README.markdown @ 5632:ae62d92506dc

mod_s2sout_override: Add support for one-level wildcards (e.g. *.example.net)
author Kim Alvefur <zash@zash.se>
date Thu, 27 Jul 2023 15:04:38 +0200
parent 4433:0e3f5f70a51d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
2 labels:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
3 - 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
4 - 'Type-Auth'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
5 summary: Client Certificate authentication module
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
6 ...
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
8 Introduction
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
9 ============
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
11 This module implements PKI-style client certificate authentication. You
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
12 will therefore need your own Certificate Authority. How to set that up
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
13 is beyond the current scope of this document.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
15 Configuration
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
16 =============
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
17
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
19 authentication = "ccert"
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
20 certificate_match = "xmppaddr" -- or "email"
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
22 c2s_ssl = {
1904
5d84b7fbe3aa mod_auth_ccert/README: It's cafile, not cacert
Kim Alvefur <zash@zash.se>
parents: 1884
diff changeset
23 cafile = "/path/to/your/ca.pem";
1884
153f063c3d1a mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
24 capath = false; -- Disable capath inherited from built-in default
4432
e83284d4d5c2 mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate
Kim Alvefur <zash@zash.se>
parents: 1904
diff changeset
25 verify = {"peer"; "client_once"}; -- Ask for client certificate
4433
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents: 4432
diff changeset
26 verifyext = {
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents: 4432
diff changeset
27 -- Don't validate client certs as if they were server certs
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents: 4432
diff changeset
28 lsec_ignore_purpose = false
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example
Kim Alvefur <zash@zash.se>
parents: 4432
diff changeset
29 }
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
30 }
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
33 Compatibility
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
34 =============
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
36 ----------------- --------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
37 trunk Works
1884
153f063c3d1a mod_auth_ccert/README: Recomend cacert instead of capath
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
38 0.10 and later Works
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
39 0.9 and earlier Doesn't work
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
40 ----------------- --------------