Changeset 0de1839 in mod_gnutls for src/mod_gnutls.c


Ignore:
Timestamp:
Mar 19, 2015, 8:27:45 AM (6 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
Children:
91ccb87
Parents:
10b3370
Message:

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/mod_gnutls.c

    r10b3370 r0de1839  
    224224    RSRC_CONF,
    225225    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
     226    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
     227    NULL,
     228    RSRC_CONF,
     229    "X509 client private file for proxy connections"),
     230    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
     231    NULL,
     232    RSRC_CONF,
     233    "X509 client certificate file for proxy connections"),
     234    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
     235    NULL,
     236    RSRC_CONF,
     237    "X509 trusted CA file for proxy connections"),
    226238    { NULL },
    227239};
Note: See TracChangeset for help on using the changeset viewer.