Re: [Freedombox-discuss] authenticating https clients through Monkeysphere

Thu, 27 Mar 2014 11:00:05 -0700 

On 03/27/2014 12:47 PM, Clint Adams wrote:
> 0b) As the aforementioned user, import the key or keys you
>     wish to authorize as certifiers and give them "ultimate"
>     trust.
> 
>     f.ex.
>         sudo -u wwwmsva -H gpg --recv-keys 
> FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
>         sudo -u wwwmsva -H gpg --edit FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582
>         trust
>         5
>         y
>         quit

if you're scripting this, it's probably better to take the second step
above as:

echo FFA9D757A78A599BB29ECF20DFFB8B0B5C6F5582:6: | \
  sudo -u wwwmsva -H gpg --import-ownertrust

> 1c) Add a virtual host with a config that uses
>     "GnuTLSClientVerifyMethod msva" and "GnuTLSClientVerify require".
>     Putting "GnuTLSClientVerify request" or "GnuTLSClientVerify require"
>     for a <Directory> and not the entire vhost seems to lead to a lot
>     of TLS rehandshaking and an utter failure to work, so you may want
>     to stick to something like this[1] for now.

We should iron out the case with a subdirectory.  test cases for
mod_gnutls would be great.

> Now here are some problems:
>     a) You can't just GnuTLSClientVerify require the
>        resources you might want to restrict

this is the same concern as the one immediately above here, right?

>     b) There appears to be no way to authorize within
>        Apache; mod_rewrite special-cases mod_ssl
>        and even if mod_gnutls had ap_expr hooks I
>        don't think it would do any good.
> 
> If anyone knows how I might be misunderstanding Apache
> and there's something like a way to map SSL_CLIENT_S_AN0
> values into REMOTE_USER or a way to use this with
> mod_authz_core, I'd be delighted to hear about it.

I think we might be able to coax the info that we want into REMOTE_USER
if that would be useful.  i need to do a bit more reading.

i'd be happy to follow up on this discussion on
mod_gnutls-de...@lists.gnutls.org if you like.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

Reply via email to