Implement TLS client authentication #75
Conversation
nmeum
changed the title
|
I documented the thing in the |
To clarify that authentication using TLS client certificates is still supported when --no-http-auth is passed.
|
Awesome, thanks! Looking forward to reviewing this. I may not get to it for a little bit (I'm on the last few sprints to get my backup service which uses restic ready for testing) -- so if someone else wants to look in the meantime, that'd be helpful too. 👌 |
|
Hi @nmeum why are the options here called |
| authType = tls.RequireAndVerifyClientCert | ||
| } | ||
| httpServer.TLSConfig = &tls.Config{ | ||
| ClientCAs: clientCerts, |
There was a problem hiding this comment.
why are we siggesting that we add the actual client certs to the server truststore for client authentication? Shouldn't we be suggesting that they provide a CA cert here, which is responsible for signing the client certs?
|
|
||
| authType := tls.VerifyClientCertIfGiven | ||
| if server.NoHTTPAuth { | ||
| authType = tls.RequireAndVerifyClientCert |
There was a problem hiding this comment.
why cant we have both tls client auth here AND http basic auth?
I think I didn't implemented checks against a CA because I didn't need it back then for my use-case. I also don't use rest-server in this configuration anymore and currently do not have enough free time on my hands to work on this PR. If you are interested in authentication with TLS client certificates submit a new PR. I wasn't even aware that this PR is still open, will close it. |
This pull request implements TLS client certificate authentication as requested in #73.
I tested this briefly with
openssl s_clientandresticwhich already has support for TLS client certificates due to restic/restic@e805b96. The code seems to work but further tests would be welcome.Regarding the authentication itself: TLS client authentication is required if
--no-http-authand--tls-client-certshave been passed. If--tls-client-certswas passed but--no-http-authwasn't it's entirely optional. This behavior is also documented in theREADME.md.Any thoughts on this? I just quickly hacked this together, did I miss anything?