-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Martin,
On 31.10.2015 16:10, [email protected] wrote: > We really need authentication of individual TLS connections (as > first step of authentication), because our main problem is that > some of this web applications are quite old and the server software > reached the end of support date already a long time ago. Thank you for explaining your business case. It enables investigation of less obvious solutions. Is it possible to configure client browsers to use a proxy to connect the sensitive servers? Maybe you could use proxy authentication instead of TLS authentication or web application. What about using a VPN for the sensitive servers? > But client certificates are no option in this case. It has to be > TOTP. Unfortunately SSL/TLS was never designed for interactive authentication. Why exactly you cannot use client certificates? Maybe there is something I can do about it. > So your suggestion is to use some dedicated reverse HTTPS proxy in > combination with i.e. privacyIDEA, right? Right. My first guess would be chaining: - - apache2 - - mod_proxy - - mod_authnz_external - - pwauth - - libpam-google-authenticator > I guess this will get much more complicated then the client > certificate based https-authentification based on stunnel before Indeed. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJWNQAtAAoJEC78f/DUFuAULX4P/3LEnkeBALAE4TXAWxm1aA69 0jEW/FZFAgfj1ev5ckZyH9kmwBqqZag+3IM41m46/LQ3YrhQwCs6WfoMUQcxB+vL 9LF+EF8dAmNcWHs2DQ662MjHMHBflnBYB8qy2HspEnSvXBZTWHTGLh0lJJCqS8wR WzHorzynpZDbvvav5NgvSWsDEq2xf+zeQnjdMf77zfrs7z9Ki79AJnybo5FunO3K OZ4iQsQbkGrLtB81Wy15CZtZurD/GYKoh2JN2vcMnLgtFQSfxgP/1i/YngvjRkxA bUJ+DegToo4tvD/bsbgEt0wbfhUJZAArJ76/bWf1STaiBlhKx1Y7JbJkOAnebG52 Q46mtOawe5GARFvobXMHXNh1E1NWlTPrpWg0QdlDlQhhkLQqiv6eZzeA/HzouyHY Xl2hoM+ryKHzVp+ZwMMtNoZC9cx8yftV9aH7yZTazqnx113tx3BWEdLxdNSmlpY8 wjkMn02jgN0GcVu8n2l/Q3UbCh027HjO8mCpdh25uSc3b6odexIsN7q2CBE/WYZt ThASY/tYUeEwlNyAODmAv5j32Lri6b1xxrVBKKBiLhIGWB+7UYXe1ZktYuEfFJEb 8ql7jKKt0d3lnROVI3y9+nHWVGcvDaLhy3l1WbG+SB7aTWdpXylMw8twm6/8KnAA W6Y7/2zpN9VN3WcXYUeV =9YeD -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
