Feature Request: client authentication (TLS Mutual Authentication)

Question

Feature Request: client authentication (TLS Mutual Authentication)

ToonvdPas opened this issue 5 years ago · 4 comments

Hi,

We have a use case for TLS mutual authentication.
Hitch would be the preferred TLS proxy for our Varnish cluster if this was supported.

Simple requirements:
Hitch should check that...

the client certificate is valid
the client certificate is issued by one ore more allowed CA's (configured in a way analog to the Apache SSLCACertificateFile directive)

Could this feature request be added to this list please? https://github.com/varnish/hitch/wiki/Future-features

Answer 1 · 2020-03-15T01:10:11.000Z

This seems to be a duplicate of #212

Answer 2 · 2020-03-15T13:23:39.000Z

Well yes, there's overlap for sure.
But please take note of the specific use case (the two bullits).
Important about this use case is that the CN is not checked, only the validity of the certificate and the CA.

Answer 3 · 2020-05-08T13:25:44.000Z

Hi @ToonvdPas

This is now in. See https://github.com/varnish/hitch/blob/master/hitch.conf.man.rst#client-verify--requiredoptionalnone

I'll close this issue now - please give it a try and open a new issue if you run into any issues.

Answer 4 · 2020-05-09T12:29:08.000Z

@daghf , thanks for doing this, and so quickly!
I would love to test it ASAP but I was forced to build an alternative solution, based on nginx.
Time permitting I will test it, but I can't give you any indication when that will be.
Regards,
Toon.