On 03/27/2014 12:47 PM, Clint Adams wrote: > 0b) As the aforementioned user, import the key or keys you > wish to authorize as certifiers and give them "ultimate" > trust. > > f.ex. > sudo -u wwwmsva -H gpg --recv-keys > FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582 > sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582 > trust > 5 > y > quit
if you're scripting this, it's probably better to take the second step above as: echo FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582:6: | \ sudo -u wwwmsva -H gpg --import-ownertrust > 1c) Add a virtual host with a config that uses > "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require". > Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require" > for a <Directory> and not the entire vhost seems to lead to a lot > of TLS rehandshaking and an utter failure to work, so you may want > to stick to something like this[1] for now. We should iron out the case with a subdirectory. test cases for mod_gnutls would be great. > Now here are some problems: > a) You can't just GnuTLSClientVerify require the > resources you might want to restrict this is the same concern as the one immediately above here, right? > b) There appears to be no way to authorize within > Apache; mod_rewrite special-cases mod_ssl > and even if mod_gnutls had ap_expr hooks I > don't think it would do any good. > > If anyone knows how I might be misunderstanding Apache > and there's something like a way to map SSL_CLIENT_S_AN0 > values into REMOTE_USER or a way to use this with > mod_authz_core, I'd be delighted to hear about it. I think we might be able to coax the info that we want into REMOTE_USER if that would be useful. i need to do a bit more reading. i'd be happy to follow up on this discussion on mod_gnutls-de...@lists.gnutls.org if you like. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss