Software / code / prosody-modules
Changeset
4433:0e3f5f70a51d
mod_auth_ccert/README: Add certificate purpose conifg to example
Thanks debacle
By default Prosody validates all client certificates as if they were
server certificates, for historical reasons, from a time when you
couldn't get certificates with the client purpose.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 06 Feb 2021 22:15:08 +0100 |
| parents | 4432:e83284d4d5c2 |
| children | 4434:f10ab82be166 |
| files | mod_auth_ccert/README.markdown |
| diffstat | 1 files changed, 4 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_auth_ccert/README.markdown Sat Feb 06 21:34:25 2021 +0100 +++ b/mod_auth_ccert/README.markdown Sat Feb 06 22:15:08 2021 +0100 @@ -23,6 +23,10 @@ cafile = "/path/to/your/ca.pem"; capath = false; -- Disable capath inherited from built-in default verify = {"peer"; "client_once"}; -- Ask for client certificate + verifyext = { + -- Don't validate client certs as if they were server certs + lsec_ignore_purpose = false + } }
