Project

General

Profile

Feature #921

Client SSL Authentication Module

Added by harningt over 12 years ago. Updated over 9 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
Category:
mod_auth
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Since SSL is already integrated, there should be a client-certificate authentication module.
I believe such a module exists for Apache (however their SSL implementation looks to be all as a module...) so perhaps somebody can look there for advice...

Maybe this can be integrated such that a Lua script can receive certificate information and map this to usable information... not sure how client-cert auth works in the backend besides the fact that the cert must be signed by a CA in the chain of authorized CA's for client-cert auth...

lighttpd-1.4.13_ssl_client_verify_0.2.patch (4.61 KB) lighttpd-1.4.13_ssl_client_verify_0.2.patch Lars, 2007-03-02 18:14
lighttpd-1.4.16_ssl-client-verify_0.3.patch (8.5 KB) lighttpd-1.4.16_ssl-client-verify_0.3.patch Client SSL Authentication Patch with SSL_CLIENT_S_DN environment variables for CGI/FastCGI/SCGI presbrey, 2007-07-26 14:54

Related issues

Is duplicate of Feature #1288: SSL Client Certificate validation.Fixed

Actions

History

#1

Updated by Lars over 12 years ago

'''lighttpd-1.4.13_ssl_client_verify_0.2.patch:'''

client validation is controlled with two new config options:


ssl.verify-peer (boolean, default = "disable")
ssl.verify-depth (short, default = 9)

If verification is turned on lighttpd disconnects all clients
which do not provide a valid client certificate.
Note: You will also need the CA file which provides the root
certificate for validation:


ssl.ca-file             = "/path/to/ca.crt" 

example SSL section in 'lighttpd.conf' looks like this:


ssl.engine              = "enable" 
ssl.use-sslv2           = "disable" 
ssl.pemfile             = "/etc/lighttpd/server.pem" 
ssl.ca-file             = "/etc/lighttpd/ca.crt" 
ssl.verify-peer         = "enable" 
ssl.verify-depth        = 1
#2

Updated by Anonymous about 12 years ago

Lars,

Will this patch set all of the environment variables that one would expect to see when using SSL client certificates?

Thanks,

Stan McFarland

-- sfmcfar

#3

Updated by nmaier almost 12 years ago

Ported to trunk, enhanced and backported to 1.4.x: #1288

Thanks Lars for pointing me in the right direction. :D

#4

Updated by stbuehler over 9 years ago

  • Status changed from New to Fixed

Applied in changeset r2688.

Also available in: Atom