aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorC. McEnroe <june@causal.agency>2020-01-17 16:47:24 -0500
committerC. McEnroe <june@causal.agency>2020-01-17 16:47:24 -0500
commitcd3128597931b10905c5c90b758bcb7a7bc7e915 (patch)
tree76859465953d77cc1d9b58712eca77d4d7e1277d
parentSet certificate expiry to 10 years (diff)
downloadpounce-cd3128597931b10905c5c90b758bcb7a7bc7e915.tar.gz
pounce-cd3128597931b10905c5c90b758bcb7a7bc7e915.zip
Document process of generating client certificates
-rw-r--r--pounce.144
1 files changed, 42 insertions, 2 deletions
diff --git a/pounce.1 b/pounce.1
index 5edbbfa..96ae985 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd January 12, 2020
+.Dd January 17, 2020
.Dt POUNCE 1
.Os
.
@@ -75,6 +75,8 @@ Require clients to authenticate
using a TLS client certificate
signed by the certificate authority loaded from
.Ar path .
+See
+.Sx Generating Client Certificates .
If
.Fl W
is also set,
@@ -297,7 +299,13 @@ If
.Fl W
is used,
clients must send a server password.
-Clients should not attempt SASL.
+If
+.Fl A
+is used,
+clients must connect with a client certificate
+and may request SASL EXTERNAL.
+If both are used,
+clients may authenticate with either method.
.
.Pp
Clients should register with unique usernames,
@@ -336,6 +344,38 @@ sent to the user's own nickname
are relayed only to other clients,
not to the server.
.
+.Ss Generating Client Certificates
+.Bl -enum
+.It
+Generate a self-signed certificate authority (CA):
+.Bd -literal -offset indent
+pounce -g auth.pem
+.Ed
+.It
+Generate and sign client certificates
+using the CA:
+.Bd -literal -offset indent
+pounce -A auth.pem -g client1.pem
+pounce -A auth.pem -g client2.pem
+.Ed
+.It
+Since only the public key is needed
+for certificate verification,
+extract it from the CA:
+.Bd -literal -offset indent
+openssl x509 -in auth.pem -out auth.crt
+.Ed
+.It
+Configure
+.Nm
+to verify client certificates
+against the CA:
+.Bd -literal -offset indent
+local-ca = auth.crt
+# or: pounce -A auth.crt
+.Ed
+.El
+.
.Ss Configuring SASL EXTERNAL
.Bl -enum
.It