Changeset 8daef10 in mod_gnutls


Ignore:
Timestamp:
Jan 25, 2020, 5:04:52 PM (6 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
47c2384
Parents:
f51d359
Message:

Update documentation on client authentication

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.md

    rf51d359 r8daef10  
    174174does not apply any more and tickets are enabled by default.
    175175
    176 ### GnuTLSClientVerify
    177 
    178 Enable Client Certificate Verification
    179 
    180     GnuTLSClientVerify [ignore|request|require]
    181 
    182 Default: `ignore`\
    183 Context: server config, virtual host, directory, .htaccess
    184 
    185 This directive controls the use of TLS Client Certificate
    186 Authentication. If used in the .htaccess context, it can force TLS
    187 re-negotiation.
    188 
    189 `ignore`
    190 :   `mod_gnutls` will ignore the contents of any TLS Client Certificates
    191     sent. It will not request that the client sends a certificate.
    192 
    193 `request`
    194 :   The client certificate will be requested, but not required.
    195     The Certificate will be validated if sent.  The output of the
    196     validation status will be stored in the `SSL_CLIENT_VERIFY`
    197     environment variable and can be `SUCCESS`, `FAILED` or `NONE`.
    198 
    199 `require`
    200 :   A Client certificate will be required. Any requests without a valid
    201     client certificate will be denied.  The `SSL_CLIENT_VERIFY`
    202     environment variable will only be set to `SUCCESS`.
    203 
    204176### GnuTLSDHFile
    205177
     
    349321running as root, and does not need to be readable by the nobody or
    350322apache user.
     323
     324### GnuTLSClientVerify
     325
     326Enable client certificate verification
     327
     328    GnuTLSClientVerify [ignore|request|require]
     329
     330Default: `ignore`\
     331Context: server config, virtual host, directory, .htaccess
     332
     333This directive controls if clients need to authenticate with a
     334certificate to access resources. If a mode other than `ignore` is used
     335in a directory context the server may request post-handshake
     336authentication (TLS 1.3 only, see below). Trusted CAs for certificate
     337validation are set using [`GnuTLSClientCAFile`](#gnutlsclientcafile).
     338
     339`ignore`
     340:   `mod_gnutls` will not request certificates from clients, and allow
     341    any requests.
     342
     343`request`
     344:   Client certificates will be requested, but requests are still
     345    allowed if the client does not send one or the provided
     346    certificate is invalid. If the client authenticates, the
     347    certificate validation status will be stored in the
     348    [`SSL_CLIENT_VERIFY`](#ssl_client_verify) environment variable and
     349    can be `SUCCESS`, `FAILED` or `NONE`.
     350
     351`require`
     352:   Client certificate authentication will be required for access. If
     353    set at server or virtual host level TLS connections from clients
     354    without a valid certificate will be denied. If set at directory
     355    level any requests without a valid client certificate will be
     356    denied with a 403 Forbidden error. The `SSL_CLIENT_VERIFY`
     357    environment variable will be set to `SUCCESS` if access is
     358    allowed, additional [environment
     359    variables](#environment-variables) will hold details on the client
     360    certificate.
     361
     362When using TLS 1.3 `mod_gnutls` will request [post-handshake
     363authentication](https://tools.ietf.org/html/rfc8446#section-4.6.2) as
     364necessary if the client announced support during the handshake. With
     365TLS versions 1.2 and earlier `mod_gnutls` supports client
     366authentication only during the initial handshake.
     367
     368If you want clients that do not support TLS 1.3 at all or do not
     369support the post-handshake authentication extension to have access to
     370resources that require authentication, you can set `GnuTLSClientVerify
     371request` at the server or virtual host level so clients can
     372authenticate during the initial handshake.
    351373
    352374### GnuTLSClientCAFile
     
    864886        GnuTLSCertificateFile conf/tls/site3.crt
    865887        GnuTLSKeyFile conf/tls/site3.key
    866         GnuTLSClientVerify ignore
    867888        GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
    868889        GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
     
    972993reloads.
    973994
     995`SSL_CLIENT_VERIFY`
     996-------------------
     997
     998Verification status of the client's certificate, if any. May be
     999`SUCCESS`, `FAILED` or `NONE`. See
     1000[`GnuTLSClientVerify`](#gnutlsclientverify).
     1001
    9741002`SSL_CLIENT_V_REMAIN`
    9751003---------------------
Note: See TracChangeset for help on using the changeset viewer.