Changeset 0de1839 in mod_gnutls for src/mod_gnutls.c

Timestamp:

Mar 19, 2015, 8:27:45 AM (5 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

91ccb87

Parents:

10b3370

Message:

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

File:

• src/mod_gnutls.c (modified) (1 diff)

src/mod_gnutls.c

@@ -224 +224 @@
     RSRC_CONF,
     "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
+    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client private file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client certificate file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 trusted CA file for proxy connections"),
     { NULL },
 };