Project

General

Profile

Feature #2245

SSL : authenticate only clients for a particular URL

Added by ohe almost 10 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

This kind of configuration does not work.

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/tmp/pub.pem" 
    ssl.ca-file = "/tmp/ca.pem" 
    ssl.verifyclient.activate = "disable" 
    $HTTP["url"] =~ "^/ssl-authentication-required/" {
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.depth = 2
    }
}

There's no way, today to authenticate, in HTTPS, users only for a list of urls.

Apache, with mod_ssl, has this option (see : http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular)

Is there a way to have this feature in lighttpd?

#1

Updated by ohe almost 10 years ago

See also comments on issue 1288 : http://redmine.lighttpd.net/issues/1288#note-11

#2

Updated by gstrauss about 4 years ago

  • Category changed from core to TLS
#3

Updated by gstrauss over 3 years ago

  • Category changed from TLS to mod_auth

It is not possible to do this in lighttpd at the moment since TLS/SSL negotiation and client cert verification currently occurs prior to reading the request (over the encrypted channel just negotiated). It should be possible to write a mod_authn_<backend>.c to plug into mod_auth to be able to provide this functionality.

For browsers using TLS SNI, it might already be possible to do this using $HTTP["host"] if you set up a vhost for login.example.com which is separate from the rest of the site. login.example.com could issue a secure, encrypted cookie after login which permits access to other .example.com sites without requiring client cert verification, though TLS connections to those other sites are still recommended.

#4

Updated by gstrauss over 3 years ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.45
#5

Updated by gstrauss over 3 years ago

  • Target version changed from 1.4.45 to 1.4.46
#6

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom