prosody-modules
bd3ff802d883
mod_auth_ccert/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_auth_ccert/README.md @ 6120:bd3ff802d883

mod_anti_spam: Fix another traceback for origin sessions without an IP This is likely to be the case for stanzas originating from local hosts, for example (so not true s2s). It should be safe to bypass the IP check for those.
author Matthew Wild <mwild1@gmail.com>
date Sat, 28 Dec 2024 21:02:08 +0000
parent 6003:fe081789f7b5
line wrap: on
line source

---
labels:
- 'Stage-Alpha'
- 'Type-Auth'
summary: Client Certificate authentication module
...

Introduction
============

This module implements PKI-style client certificate authentication. You
will therefore need your own Certificate Authority. How to set that up
is beyond the current scope of this document.

Configuration
=============


    authentication = "ccert"
    certificate_match = "xmppaddr" -- or "email"

    c2s_ssl = {
        cafile = "/path/to/your/ca.pem";
        capath = false; -- Disable capath inherited from built-in default
        verify = {"peer"; "client_once"}; -- Ask for client certificate
        verifyext = {
            -- Don't validate client certs as if they were server certs
            lsec_ignore_purpose = false
        }
    }


Compatibility
=============

  ----------------- --------------
  trunk             Works
  0.10 and later    Works
  0.9 and earlier   Doesn't work
  ----------------- --------------