LuCI client certificate authentication
luka.logar at cifra.si
Fri Feb 19 15:02:33 EST 2021
The above series of patches puts everything in place for the LuCI TLS
client certificate authentication. The authentication is disabled by default
and must be enabled in uhttpd config by setting
uci set uhttpd.main.client_auth='/etc/ssl/certs/clientCA.crt'
Also, user/certificate must be added in rpcd config (subject name as a
username and certificate hash as a password)
uci add rpcd login
uci set rpcd. at login[-1].username='C=SI, ST=Slovenia, ....., CN=John Doe'
rpcd. at login[-1].password='864D899C4685F875309CF7837586A38473DCB8FBEF3489123425345345CEB77A'
uci add_list rpcd. at login[-1].read='*'
uci add_list rpcd. at login[-1].write='*'
Currently only openssl and wolfssl ustream-ssl backends are supported.
During the authentication user certificate is verified against the
uhttpd specified CA certificate.
A slight change was made to the way, how LuCI logout is handled as there
is no user/password screen anymore (when client cert auth is used),
so the logout just displays a notice that the session has ended.
More information about the openwrt-devel