From a426020e04618d7eb77521b155c0c02068182f29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hermann=20H=C3=B6hne?= Date: Sun, 3 Sep 2017 17:22:35 +0200 Subject: [PATCH] Added hints to which Python versions allow client certificate authentication. Renamed SSL client certificate authentication plugin to match its function (checking common names) more closely. --- docs/websockify.1 | 6 ++++-- websockify/auth_plugins.py | 2 +- websockify/websocketproxy.py | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/websockify.1 b/docs/websockify.1 index cef4d5e..3aaea6e 100644 --- a/docs/websockify.1 +++ b/docs/websockify.1 @@ -97,11 +97,13 @@ The wstelnet.html page demonstrates a simple WebSockets based telnet client. .SS Use client certificate verification -The --verify-client makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication. +This feature requires Python 2.7.9 or newer or Python 3.4 or newer. + +The --verify-client option makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertCNAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication. Here is an example of a vncsevrer with password-less, certificate-driven authentication: -`./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertAuth --auth-source='jane@example.com Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None` +`./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertCNAuth --auth-source='jane@example.com Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None` The --auth-source option takes a white-space separated list of common names. Depending on your clients certificates they can be verified email addresses, user-names or any other string used for identification. diff --git a/websockify/auth_plugins.py b/websockify/auth_plugins.py index dd6a9e8..8ce60f2 100644 --- a/websockify/auth_plugins.py +++ b/websockify/auth_plugins.py @@ -82,7 +82,7 @@ class ExpectOrigin(object): if origin is None or origin not in self.source: raise InvalidOriginError(expected=self.source, actual=origin) -class ClientCertAuth(object): +class ClientCertCNAuth(object): """Verifies client by SSL certificate. Specify src as whitespace separated list of common names.""" def __init__(self, src=None): diff --git a/websockify/websocketproxy.py b/websockify/websocketproxy.py index 09feee3..52da186 100755 --- a/websockify/websocketproxy.py +++ b/websockify/websocketproxy.py @@ -407,7 +407,8 @@ def websockify_init(): parser.add_option("--ssl-target", action="store_true", help="connect to SSL target as SSL client") parser.add_option("--verify-client", action="store_true", - help="require encrypted client to present a valid certificate") + help="require encrypted client to present a valid certificate " + "(needs Python 2.7.9 or newer or Python 3.4 or newer)") parser.add_option("--cafile", metavar="FILE", help="file of concatenated certificates of authorities trusted " "for validating clients (only effective with --verify-client). "