changeset 4433:0e3f5f70a51d

mod_auth_ccert/README: Add certificate purpose conifg to example Thanks debacle By default Prosody validates all client certificates as if they were server certificates, for historical reasons, from a time when you couldn't get certificates with the client purpose.
author Kim Alvefur <zash@zash.se>
date Sat, 06 Feb 2021 22:15:08 +0100
parents e83284d4d5c2
children f10ab82be166
files mod_auth_ccert/README.markdown
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_auth_ccert/README.markdown	Sat Feb 06 21:34:25 2021 +0100
+++ b/mod_auth_ccert/README.markdown	Sat Feb 06 22:15:08 2021 +0100
@@ -23,6 +23,10 @@
         cafile = "/path/to/your/ca.pem";
         capath = false; -- Disable capath inherited from built-in default
         verify = {"peer"; "client_once"}; -- Ask for client certificate
+        verifyext = {
+            -- Don't validate client certs as if they were server certs
+            lsec_ignore_purpose = false
+        }
     }