Certificate support over UNIX socket

Claudio Luck cluck at ethz.ch
Mon Mar 16 13:25:25 PDT 2015

Hi again,

There is this comment about listen-clear-file in the sample config:
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /var/run/ocserv-conn.socket

haproxy and nginx at least have the ability to pass the SSL certificates 
and the validation exit status as headers to the request while it is 
forwarded to the backend. In haproxy 1.5.7+ config speach:

frontend f_one:
   http-request add-header X-SSL-Client-Cert %[ssl_c_der,base64]
   http-request add-header X-SSL-Server-Cert %[ssl_f_der,base64]
   http-request set-header X-SSL-Client-Verify %[ssl_c_verify]

In this case a request without client certificate would look like:
GET /profiles/profile.xml HTTP/1.1
Host: vpn.example.org
Cookie: webvpn=[...]
X-SSL-Client-Verify: 0
X-SSL-Server-Cert: MIIE6....EFlaI

An a request with an invalid client certificate:
GET /profiles/profile.xml HTTP/1.1
Host: vpn.example.org
Cookie: webvpn=[...]
X-SSL-Client-Verify: 12
X-SSL-Client-Cert: MII....wuY29
X-SSL-Server-Cert: MII....EFlaI

ocserv could make use of this facility to support certificate 
authentication over UNIX sockets.


More information about the openconnect-devel mailing list