Ticket #921 (new enhancement)

Opened 2 years ago

Last modified 1 year ago

Client SSL Authentication Module

Reported by: harningt Assigned to: jan
Priority: normal Milestone:
Component: mod_auth Version:
Severity: normal Keywords:
Cc: Blocking:
Need Feedback: 0

Description

Since SSL is already integrated, there should be a client-certificate authentication module. I believe such a module exists for Apache (however their SSL implementation looks to be all as a module...) so perhaps somebody can look there for advice...

Maybe this can be integrated such that a Lua script can receive certificate information and map this to usable information... not sure how client-cert auth works in the backend besides the fact that the cert must be signed by a CA in the chain of authorized CA's for client-cert auth...

Attachments

lighttpd-1.4.13_ssl_client_verify_0.2.patch (4.6 kB) - added by Lars on 03/02/2007 06:14:38 PM.
lighttpd-1.4.16_ssl-client-verify_0.3.patch (8.5 kB) - added by presbrey on 07/26/2007 02:54:23 PM.
Client SSL Authentication Patch with SSL_CLIENT_S_DN environment variables for CGI/FastCGI/SCGI

Change History

03/02/2007 06:14:38 PM changed by Lars

  • attachment lighttpd-1.4.13_ssl_client_verify_0.2.patch added.

03/02/2007 06:22:29 PM changed by Lars

lighttpd-1.4.13_ssl_client_verify_0.2.patch:

client validation is controlled with two new config options:

ssl.verify-peer (boolean, default = "disable")
ssl.verify-depth (short, default = 9)


If verification is turned on lighttpd disconnects all clients which do not provide a valid client certificate. Note: You will also need the CA file which provides the root certificate for validation:

ssl.ca-file             = "/path/to/ca.crt"


example SSL section in 'lighttpd.conf' looks like this:

ssl.engine              = "enable"
ssl.use-sslv2           = "disable"
ssl.pemfile             = "/etc/lighttpd/server.pem"
ssl.ca-file             = "/etc/lighttpd/ca.crt"
ssl.verify-peer         = "enable"
ssl.verify-depth        = 1

05/22/2007 09:09:36 PM changed by sfmcfar@gmail.com

Lars,

Will this patch set all of the environment variables that one would expect to see when using SSL client certificates?

Thanks,

Stan McFarland? sfmcfar@gmail.com

07/26/2007 02:54:23 PM changed by presbrey

  • attachment lighttpd-1.4.16_ssl-client-verify_0.3.patch added.

Client SSL Authentication Patch with SSL_CLIENT_S_DN environment variables for CGI/FastCGI/SCGI

08/06/2007 01:02:15 AM changed by nmaier

  • blocking changed.
  • pending changed.

Ported to trunk, enhanced and backported to 1.4.x: #1288

Thanks Lars for pointing me in the right direction. :D

Add/Change #921 (Client SSL Authentication Module)




Change Properties