[Freedombox-discuss] authenticating https clients through Monkeysphere

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 27 17:54:03 UTC 2014 

On 03/27/2014 12:47 PM, Clint Adams wrote:
> 0b) As the aforementioned user, import the key or keys you
>     wish to authorize as certifiers and give them "ultimate"
>     trust.
> 
>     f.ex.
>         sudo -u wwwmsva -H gpg --recv-keys FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
>         sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
>         trust
>         5
>         y
>         quit

if you're scripting this, it's probably better to take the second step
above as:

echo FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582:6: | \
  sudo -u wwwmsva -H gpg --import-ownertrust

> 1c) Add a virtual host with a config that uses
>     "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require".
>     Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require"
>     for a <Directory> and not the entire vhost seems to lead to a lot
>     of TLS rehandshaking and an utter failure to work, so you may want
>     to stick to something like this[1] for now.

We should iron out the case with a subdirectory.  test cases for
mod_gnutls would be great.

> Now here are some problems:
>     a) You can't just GnuTLSClientVerify require the
>        resources you might want to restrict

this is the same concern as the one immediately above here, right?

>     b) There appears to be no way to authorize within
>        Apache; mod_rewrite special-cases mod_ssl
>        and even if mod_gnutls had ap_expr hooks I
>        don't think it would do any good.
> 
> If anyone knows how I might be misunderstanding Apache
> and there's something like a way to map SSL_CLIENT_S_AN0
> values into REMOTE_USER or a way to use this with
> mod_authz_core, I'd be delighted to hear about it.

I think we might be able to coax the info that we want into REMOTE_USER
if that would be useful.  i need to do a bit more reading.

i'd be happy to follow up on this discussion on
mod_gnutls-devel at lists.gnutls.org if you like.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20140327/59ec7ee3/attachment.sig>

More information about the Freedombox-discuss mailing list