Certificate support over UNIX socket
Claudio Luck
cluck at ethz.ch
Mon Mar 16 13:25:25 PDT 2015
Hi again,
There is this comment about listen-clear-file in the sample config:
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /var/run/ocserv-conn.socket
haproxy and nginx at least have the ability to pass the SSL certificates
and the validation exit status as headers to the request while it is
forwarded to the backend. In haproxy 1.5.7+ config speach:
frontend f_one:
http-request add-header X-SSL-Client-Cert %[ssl_c_der,base64]
http-request add-header X-SSL-Server-Cert %[ssl_f_der,base64]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
In this case a request without client certificate would look like:
...
GET /profiles/profile.xml HTTP/1.1
Host: vpn.example.org
Cookie: webvpn=[...]
X-SSL-Client-Verify: 0
X-SSL-Client-Cert:
X-SSL-Server-Cert: MIIE6....EFlaI
...
An a request with an invalid client certificate:
...
GET /profiles/profile.xml HTTP/1.1
Host: vpn.example.org
Cookie: webvpn=[...]
X-SSL-Client-Verify: 12
X-SSL-Client-Cert: MII....wuY29
X-SSL-Server-Cert: MII....EFlaI
...
ocserv could make use of this facility to support certificate
authentication over UNIX sockets.
Regards,
Claudio
More information about the openconnect-devel
mailing list