LuCI client certificate authentication

Luka Logar luka.logar at
Fri Feb 19 15:02:33 EST 2021

The above series of patches puts everything in place for the LuCI TLS 
client certificate authentication. The authentication is disabled by default
and must be enabled in uhttpd config by setting

uci set uhttpd.main.client_auth='/etc/ssl/certs/clientCA.crt'

Also, user/certificate must be added in rpcd config (subject name as a 
username and certificate hash as a password)

uci add rpcd login
uci set rpcd. at login[-1].username='C=SI, ST=Slovenia, ....., CN=John Doe'
uci set 
rpcd. at login[-1].password='864D899C4685F875309CF7837586A38473DCB8FBEF3489123425345345CEB77A'
uci add_list rpcd. at login[-1].read='*'
uci add_list rpcd. at login[-1].write='*'

Currently only openssl and wolfssl ustream-ssl backends are supported. 
During the authentication user certificate is verified against the
uhttpd specified CA certificate.
A slight change was made to the way, how LuCI logout is handled as there 
is no user/password screen anymore (when client cert auth is used),
so the logout just displays a notice that the session has ended.


More information about the openwrt-devel mailing list