Skip to content

Implement TLS client authentication #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Implement TLS client authentication #193

wants to merge 1 commit into from

Conversation

M1cha
Copy link

@M1cha M1cha commented Jun 22, 2022
edited
Loading

What is the purpose of this change? What does it change?

Add support for authenticating clients using a CA certificate.

Was the change discussed in an issue or in the forum before?

Closes #73

Checklist

  • I have enabled maintainer edits for this PR
  • I have added tests for all changes in this PR
  • I have added documentation for the changes (in the manual)
  • There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
  • I have run gofmt on the code in all commits
  • All commit messages are formatted in the same style as the other commits in the repo
  • I'm done, this Pull Request is ready for review

@MichaelEischer
Copy link
Member

Shouldn't the rest-server also extract the username from the client certificate similar to #191? Or is the idea to only use the client certificate to allow access to the rest-server and then require an additional htpasswd verification (I'm not particularly sure how useful that is)?

@M1cha
Copy link
Author

M1cha commented Apr 9, 2023

@MichaelEischer IMO, what you request should be optional. I use TLS with my own CA to prevent anyone inside my home network from using the rest server. I need neither htaccess nor TLS username verification though since I'm the only user.

@smiller255
Copy link

I tested this branch at 517d9cbcad3a52965f73d36fe0fd8cc61e8f1300 and it works just fine and as expected.

Notes:

  • The added documentation states that the new option can be used with --tls-ca but the implemented option uses --tls-cacert
  • To use client side tls for authentication without a htpasswd file it is currently required to start the server with the --no-auth flag, because without it the server complains about the missing htpasswd file. The --no-auth flag should actually disable both authentication options wile using --tls-cacert should work even if there is no htpasswd file.

@M1cha If you are still interested to work on this feature, I would offer to test this further and help with documentation or unit tests.

@smiller255 smiller255 mentioned this pull request Oct 10, 2024
Open
@M1cha M1cha force-pushed the tls-client-auth branch from 517d9cb to 446e9ee Compare July 26, 2025 09:34
@M1cha
Copy link
Author

M1cha commented Jul 26, 2025
edited
Loading

I updated the PR from my personal fork.

@smiller255

* The added documentation states that the new option can be used with `--tls-ca` but the implemented option uses `--tls-cacert`

Good catch, fixed.

* To use client side tls for authentication without a htpasswd file it is currently required to start the server with the` --no-auth` flag, because without it the server complains about the missing htpasswd file. The` --no-auth` flag should actually disable both authentication options wile using `--tls-cacert` should work even if there is no htpasswd file.

That sounds reasonable. I didn't implement that in my push, yet though.

@M1cha If you are still interested to work on this feature, I would offer to test this further and help with documentation or unit tests.

I've been using the code in this PR for my main backup since I've opened the PR. Unfortunately it looks like the maintainers of rest-server are very inactive.

@M1cha M1cha force-pushed the tls-client-auth branch from 446e9ee to 0171dcf Compare July 26, 2025 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS Client Authentication
3 participants
@M1cha @MichaelEischer @smiller255