[stunnel-users] One Time Password for https two factor authentication

Michal Trojnara Michal.Trojnara at mirt.net
Sat Oct 31 18:53:49 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Martin,

On 31.10.2015 16:10, hamburg-barmbek at gmx.de wrote:
> We really need authentication of individual TLS connections (as
> first step of authentication), because our main problem is that
> some of this web applications are quite old and the server software
> reached the end of support date already a long time ago.

Thank you for explaining your business case.
It enables investigation of less obvious solutions.

Is it possible to configure client browsers to use a proxy to connect
the sensitive servers?  Maybe you could use proxy authentication
instead of TLS authentication or web application.

What about using a VPN for the sensitive servers?

> But client certificates are no option in this case. It has to be
> TOTP.

Unfortunately SSL/TLS was never designed for interactive authentication.

Why exactly you cannot use client certificates?
Maybe there is something I can do about it.

> So your suggestion is to use some dedicated reverse HTTPS proxy in 
> combination with i.e. privacyIDEA, right?

Right. My first guess would be chaining:
- - apache2
- - mod_proxy
- - mod_authnz_external
- - pwauth
- - libpam-google-authenticator

> I guess this will get much more complicated then the client
> certificate based https-authentification based on stunnel before

Indeed.

Best regards,
	Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJWNQAtAAoJEC78f/DUFuAULX4P/3LEnkeBALAE4TXAWxm1aA69
0jEW/FZFAgfj1ev5ckZyH9kmwBqqZag+3IM41m46/LQ3YrhQwCs6WfoMUQcxB+vL
9LF+EF8dAmNcWHs2DQ662MjHMHBflnBYB8qy2HspEnSvXBZTWHTGLh0lJJCqS8wR
WzHorzynpZDbvvav5NgvSWsDEq2xf+zeQnjdMf77zfrs7z9Ki79AJnybo5FunO3K
OZ4iQsQbkGrLtB81Wy15CZtZurD/GYKoh2JN2vcMnLgtFQSfxgP/1i/YngvjRkxA
bUJ+DegToo4tvD/bsbgEt0wbfhUJZAArJ76/bWf1STaiBlhKx1Y7JbJkOAnebG52
Q46mtOawe5GARFvobXMHXNh1E1NWlTPrpWg0QdlDlQhhkLQqiv6eZzeA/HzouyHY
Xl2hoM+ryKHzVp+ZwMMtNoZC9cx8yftV9aH7yZTazqnx113tx3BWEdLxdNSmlpY8
wjkMn02jgN0GcVu8n2l/Q3UbCh027HjO8mCpdh25uSc3b6odexIsN7q2CBE/WYZt
ThASY/tYUeEwlNyAODmAv5j32Lri6b1xxrVBKKBiLhIGWB+7UYXe1ZktYuEfFJEb
8ql7jKKt0d3lnROVI3y9+nHWVGcvDaLhy3l1WbG+SB7aTWdpXylMw8twm6/8KnAA
W6Y7/2zpN9VN3WcXYUeV
=9YeD
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list