mod_auth_ccert

Introduction

This module implements PKI-style client certificate authentication. You will therefore need your own Certificate Authority. How to set that up is beyond the current scope of this document.

Configuration

authentication = "ccert"
certificate_match = "xmppaddr" -- or "email"

c2s_ssl = {
    cafile = "/path/to/your/ca.pem";
    capath = false; -- Disable capath inherited from built-in default
    verify = {"peer"; "client_once"}; -- Ask for client certificate
    verifyext = {
        -- Don't validate client certs as if they were server certs
        lsec_ignore_purpose = false
    }
}

Compatibility

trunk	Works
0.10 and later	Works
0.9 and earlier	Doesn’t work

Installation

With the plugin installer in Prosody 0.12 you can use:

sudo prosodyctl install https://modules.prosody.im/rocks/mod_auth_ccert-12-1.src.rock

For other see the documentation for installing 3rd party modules

Latest changes

Silence warning about unused global [luacheck] 2018-05-24
Backed out changeset 853a382c9bd6 2014-02-28
Advertise the XEP-0215 feature (thanks Gryffus) 2014-02-28
Use value from ipairs 2013-06-29
Fix logging of certificate chain errors 2013-06-14

mod_auth_ccert

Introduction

Configuration

Compatibility

Installation

Latest changes

Details

Authors

Links