[Freedombox-discuss] authenticating https clients through Monkeysphere
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 27 17:54:03 UTC 2014
On 03/27/2014 12:47 PM, Clint Adams wrote:
> 0b) As the aforementioned user, import the key or keys you
> wish to authorize as certifiers and give them "ultimate"
> sudo -u wwwmsva -H gpg --recv-keys FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
> sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
if you're scripting this, it's probably better to take the second step
echo FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582:6: | \
sudo -u wwwmsva -H gpg --import-ownertrust
> 1c) Add a virtual host with a config that uses
> "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require".
> Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require"
> for a <Directory> and not the entire vhost seems to lead to a lot
> of TLS rehandshaking and an utter failure to work, so you may want
> to stick to something like this for now.
We should iron out the case with a subdirectory. test cases for
mod_gnutls would be great.
> Now here are some problems:
> a) You can't just GnuTLSClientVerify require the
> resources you might want to restrict
this is the same concern as the one immediately above here, right?
> b) There appears to be no way to authorize within
> Apache; mod_rewrite special-cases mod_ssl
> and even if mod_gnutls had ap_expr hooks I
> don't think it would do any good.
> If anyone knows how I might be misunderstanding Apache
> and there's something like a way to map SSL_CLIENT_S_AN0
> values into REMOTE_USER or a way to use this with
> mod_authz_core, I'd be delighted to hear about it.
I think we might be able to coax the info that we want into REMOTE_USER
if that would be useful. i need to do a bit more reading.
i'd be happy to follow up on this discussion on
mod_gnutls-devel at lists.gnutls.org if you like.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1010 bytes
Desc: OpenPGP digital signature
More information about the Freedombox-discuss