Client Authentication

Kore supports client authentication if turned on for a given domain.

If turned on Kore will request an X509 certificate from the client and verify it against the configured list of trusted certificate authorities.

Enabling client authentication (via config)

In order to turn on client authentication add the client_verify and client_verify_depth configuration directives to the domain you wish to enable it on.

domain needsauth.example.com {
    certfile   cert/example.com/server.pem
    certkey    cert/example.com/key.pem

    # Bundle of trusted certificate authorities and an optional CRL 
    client_verify   cert/cabundle.pem cert/crloptional.pem

    # The verification depth
    client_verify_depth 1
}

Enabling client authentication (via Python API)

You can enable client authentication via the Python API as well by passing the client_verify and verify_depth keyword to the domain setup.

dom = kore.domain("needsauth.example.com",
    attach="server",
    cert="cert/example.com/server.pem",
    key="cert/example.com/key.pem",
    client_verify="cert/cabundle.pem",
    verify_depth=1
)

You currently cannot set CRLs via the Python API.

results matching ""

    No results matching ""