mod_auth_ccert

Introduction

This module implements PKI-style client certificate authentication. You will therefore need your own Certificate Authority. How to set that up is beyond the current scope of this document.

Configuration

authentication = "ccert"
certificate_match = "xmppaddr" -- or "email"

c2s_ssl = {
    cafile = "/path/to/your/ca.pem";
    capath = false; -- Disable capath inherited from built-in default
    verify = {"peer"; "client_once"}; -- Ask for client certificate
    verifyext = {
        -- Don't validate client certs as if they were server certs
        lsec_ignore_purpose = false
    }
}

Compatibility

trunk	Works
0.10 and later	Works
0.9 and earlier	Doesn’t work

Installation

With the plugin installer in Prosody 0.12 you can use:

sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_auth_ccert

For earlier versions see the documentation for installing 3rd party modules

Latest changes

Add certificate purpose conifg to example 2021-02-06
Add setting to ensure Prosdy asks for client certificate 2021-02-06
Silence warning about unused global [luacheck] 2018-05-24
It's cafile, not cacert 2015-10-11
Recomend cacert instead of capath 2015-10-01

mod_auth_ccert

Introduction

Configuration

Compatibility

Installation

Latest changes

Details

Authors

Links