V2: Client Auth

evtr · December 1, 2019, 9:23pm

Hi,
I am writing a module for Caddy2. I need to require a client SSL certificate and to access it in my plugin code.
In Caddy1 I used the tls settings in the Caddyfile
tls cert key {
clients require
}
Which later made it possible for me to access it in my code:

func getClientCertificate(req *http.Request) *x509.Certificate {
if (len(req.TLS.PeerCertificates) > 0) {
cert := req.TLS.PeerCertificates[0]
return cert
}
return nil
}

How can I do the same in Caddy2? How to setup the Caddyfile (for version2) in order to require a Client SSL certificate be present?

Whitestrake · December 1, 2019, 11:33pm

Hey @evtr, welcome to the Caddy community!

I haven’t hacked on Caddy v2 much myself yet, so I’m not sure about accessing the client certificate in your plugin - I’ll tag in @matt and he might be able to point you in the right direction.

As for setting up the v2 Caddyfile to require a client certificate - I don’t think it can be done just yet. The functionality exists via JSON configuration (see: https://github.com/caddyserver/caddy/wiki/v2:-Documentation#httpserverstls_connection_policies), but the v2 tls directive is still WIP and missing many subdirectives present in v1, according to current documentation.

Easiest way to go about it is to adapt the v2 Caddyfile to JSON (see: https://github.com/caddyserver/caddy/wiki/v2:-Documentation#adapt), then edit the JSON to add the connection policy and use the JSON config when starting Caddy.

evtr · December 2, 2019, 5:22am

Yes, I am working with the JSON config now. And I found the directives for connection policy, but as you said, the directives for “require” and “request” seems to be missing.
I could go back to Caddy1, I suppose

evtr · December 2, 2019, 10:33pm

Created a pullrequest for Caddy 2