When users visit XRootD-based HTTP servers in the browser, they get a pop-up request for selecting a client certificate. This is fairly disruptive for users not working in X.509-based environments -- and completely unnecessary if X.509 authentication is not in use!
This PR adds two new options, tlsclientauth and tlsrequiredprefix, that control when the HTTPS server may request a client certificate. Note that this only makes sense for the HTTPS protocol and hence isn't part of the generic XrdTls configuration.
http.tlsclientauth [on|off|defer]
Controls the use of client certificate authentication only for the HTTPS protocol. When on (default), the HTTPS protocol server will always request a client certificate from the client. When off, it will never request a certificate. When set to defer, it will only request a client certificate is it is in a path specified by https.tlsrequiredprefix.
It is not an error if the client does not provide a certificate.
http.tlsrequiredprefix /prefix
This option, which can be specified multiple times, specifies a prefix that requires the use of TLS client certificate authentication. If a HTTP request is made for a path starting with this prefix and http.tlsclientauth is in defer mode, then the HTTP server will request a client certificate from the client before a response is made.
Note this only works with clients that support the post-handshake authentication option in TLS 1.3 (these include curl 7.62 or later and the curl version shipped with RHEL8 or later).
When users visit XRootD-based HTTP servers in the browser, they get a pop-up request for selecting a client certificate. This is fairly disruptive for users not working in X.509-based environments -- and completely unnecessary if X.509 authentication is not in use!
This PR adds two new options,
tlsclientauth
andtlsrequiredprefix
, that control when the HTTPS server may request a client certificate. Note that this only makes sense for the HTTPS protocol and hence isn't part of the generic XrdTls configuration.http.tlsclientauth [on|off|defer]
Controls the use of client certificate authentication only for the HTTPS protocol. When on (default), the HTTPS protocol server will always request a client certificate from the client. When off, it will never request a certificate. When set to defer, it will only request a client certificate is it is in a path specified by
https.tlsrequiredprefix
.It is not an error if the client does not provide a certificate.
http.tlsrequiredprefix /prefix
This option, which can be specified multiple times, specifies a prefix that requires the use of TLS client certificate authentication. If a HTTP request is made for a path starting with this prefix and
http.tlsclientauth
is in defer mode, then the HTTP server will request a client certificate from the client before a response is made.Note this only works with clients that support the post-handshake authentication option in TLS 1.3 (these include curl 7.62 or later and the curl version shipped with RHEL8 or later).