[Idea] Mutual TLS Authentication

[JJ2CC]

Your idea

The problematic is the authentication of Glpi-Agents on a important parc.

If you want only a valid agent can contact the glpi Server , and not a rogue agent (in the hypothese of a cloud approch by example), you MUST validate all your clients .

My approch: use the mecanism of mutual TLS authentication .
Each agent has a deidecated certificate (client), issued from an internal PKI , in a ideal world .

The agent has a new parameter , ssl-key-file ( the path of the client certificate private key) ,
With the ssl-cert-file parameter, the agent can now use a client certificate , and do a valid request to the Apache server.

In this scenario

• add the new parameter in the Agent

• add the parameter in the SSL connection

  Agent/HTTP/Client.pm

   	$self->{ua}->ssl_opts(SSL_key_file => $self->{ssl_key_file})
           if $self->{ssl_key_file};
  

• in apache , do a new vhost , and specify the validation conditions
  # ################
  # Partie SSL #
  ################
  SSLEngine on

    SSLCertificateFile      /etc/apache2/ssl/xxxxx.fr.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/xxxxxxxxxx.key
    SSLCertificateChainFile /etc/apache2/ssl/xxxx.pem
  
  
     <Directory /var/www/glpi/plugins>
            SSLOptions +StdEnvVars
  
            SSLVerifyClient require
            SSLVerifyDepth 1
  
            # https://httpd.apache.org/docs/current/mod/mod_ssl.html
            # Vérifier le CN du certificat client
            SSLRequire %{SSL_CLIENT_S_DN_CN} eq "glpi10"
    </Directory>
  

I dit it for an old version (1.5), and it's work

Do you accept this change ?

[g-bougard]

Hi @JJ2CC

to me it's still possible why a concatenation of the cert & the private key in a file and just use ssl-cert-file option. Have you tried that ?