Project

General

Profile

Feature #921

Client SSL Authentication Module

Added by harningt over 13 years ago. Updated over 10 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
-
ASK QUESTIONS IN Forums:

Description

Since SSL is already integrated, there should be a client-certificate authentication module.
I believe such a module exists for Apache (however their SSL implementation looks to be all as a module...) so perhaps somebody can look there for advice...

Maybe this can be integrated such that a Lua script can receive certificate information and map this to usable information... not sure how client-cert auth works in the backend besides the fact that the cert must be signed by a CA in the chain of authorized CA's for client-cert auth...


Files

lighttpd-1.4.13_ssl_client_verify_0.2.patch (4.61 KB) lighttpd-1.4.13_ssl_client_verify_0.2.patch Lars, 2007-03-02 18:14
lighttpd-1.4.16_ssl-client-verify_0.3.patch (8.5 KB) lighttpd-1.4.16_ssl-client-verify_0.3.patch Client SSL Authentication Patch with SSL_CLIENT_S_DN environment variables for CGI/FastCGI/SCGI presbrey, 2007-07-26 14:54

Related issues

Is duplicate of Feature #1288: SSL Client Certificate validation.FixedActions
#1

Updated by Lars over 13 years ago

'''lighttpd-1.4.13_ssl_client_verify_0.2.patch:'''

client validation is controlled with two new config options:


ssl.verify-peer (boolean, default = "disable")
ssl.verify-depth (short, default = 9)

If verification is turned on lighttpd disconnects all clients
which do not provide a valid client certificate.
Note: You will also need the CA file which provides the root
certificate for validation:


ssl.ca-file             = "/path/to/ca.crt" 

example SSL section in 'lighttpd.conf' looks like this:


ssl.engine              = "enable" 
ssl.use-sslv2           = "disable" 
ssl.pemfile             = "/etc/lighttpd/server.pem" 
ssl.ca-file             = "/etc/lighttpd/ca.crt" 
ssl.verify-peer         = "enable" 
ssl.verify-depth        = 1
#2

Updated by Anonymous about 13 years ago

Lars,

Will this patch set all of the environment variables that one would expect to see when using SSL client certificates?

Thanks,

Stan McFarland

-- sfmcfar

#3

Updated by nmaier almost 13 years ago

Ported to trunk, enhanced and backported to 1.4.x: #1288

Thanks Lars for pointing me in the right direction. :D

#4

Updated by stbuehler over 10 years ago

  • Status changed from New to Fixed

Applied in changeset r2688.

Also available in: Atom