Hi again, There is this comment about listen-clear-file in the sample config: # Accept connections using a socket file. It accepts HTTP # connections (i.e., without SSL/TLS unlike its TCP counterpart), # and uses it as the primary channel. That option cannot be # combined with certificate authentication. #listen-clear-file = /var/run/ocserv-conn.socket haproxy and nginx at least have the ability to pass the SSL certificates and the validation exit status as headers to the request while it is forwarded to the backend. In haproxy 1.5.7+ config speach: frontend f_one: http-request add-header X-SSL-Client-Cert %[ssl_c_der,base64] http-request add-header X-SSL-Server-Cert %[ssl_f_der,base64] http-request set-header X-SSL-Client-Verify %[ssl_c_verify] In this case a request without client certificate would look like: ... GET /profiles/profile.xml HTTP/1.1 Host: vpn.example.org Cookie: webvpn=[...] X-SSL-Client-Verify: 0 X-SSL-Client-Cert: X-SSL-Server-Cert: MIIE6....EFlaI ... An a request with an invalid client certificate: ... GET /profiles/profile.xml HTTP/1.1 Host: vpn.example.org Cookie: webvpn=[...] X-SSL-Client-Verify: 12 X-SSL-Client-Cert: MII....wuY29 X-SSL-Server-Cert: MII....EFlaI ... ocserv could make use of this facility to support certificate authentication over UNIX sockets. Regards, Claudio
