[stunnel-users] One Time Password for https two factor authentication
Michal.Trojnara at mirt.net
Sat Oct 31 18:53:49 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 31.10.2015 16:10, hamburg-barmbek at gmx.de wrote:
> We really need authentication of individual TLS connections (as
> first step of authentication), because our main problem is that
> some of this web applications are quite old and the server software
> reached the end of support date already a long time ago.
Thank you for explaining your business case.
It enables investigation of less obvious solutions.
Is it possible to configure client browsers to use a proxy to connect
the sensitive servers? Maybe you could use proxy authentication
instead of TLS authentication or web application.
What about using a VPN for the sensitive servers?
> But client certificates are no option in this case. It has to be
Unfortunately SSL/TLS was never designed for interactive authentication.
Why exactly you cannot use client certificates?
Maybe there is something I can do about it.
> So your suggestion is to use some dedicated reverse HTTPS proxy in
> combination with i.e. privacyIDEA, right?
Right. My first guess would be chaining:
- - apache2
- - mod_proxy
- - mod_authnz_external
- - pwauth
- - libpam-google-authenticator
> I guess this will get much more complicated then the client
> certificate based https-authentification based on stunnel before
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the stunnel-users