Core: Feature Request: Support client-side SSL/TLS certificates in the web GUI

@lattera it shouldn't be very difficult to force a client certificate, can you try the following to see if it matches your expectations?

• create a CA (or use an existing one)
• create a certificate for the webui using the CA above
• configure the web ui to use this CA (/system_advanced_admin.php)
• create another cert (using the same CA) for your browser

Then edit /var/etc/lighty-webConfigurator.conf

Search $SERVER["socket"] == "0.0.0.0:443" { } and then goto the line below ssl.ca-file = "/var/etc/ca.pem"

Next paste this under the ssl.ca-file:

ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

Kill lighttpd and restart using:
/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf

Now you should only be allowed to enter the server with the correct cert installed.
If this is what your looking for, I suggest that we add one checkbox in system advanced checkbox. I think this is a useful extension to enhance security too.

I'll spin up a new OPNsense instance for testing soon. I'll report back within the next week or two.

@AdSchellevis It would be better if enforce is configurable. So the user can be signed in by using the certificate if it is available and if not, the login screen is displayed.

@fabianfrz it's an extra layer of security, you need a valid certificate and need credentials... I don't think we should try to login the user automatically.

@lattera did you find time to test this already?

I haven't, sorry. I had a few fires to put out. I'm hoping to get some time to test this week, though.

I would love to be able to use this feature as well.
@AdSchellevis what can I do to help?

@wschlich test if https://github.com/opnsense/core/issues/1718#issuecomment-315535269 matches expectations, then there's work needed to actually implement the feature, but somewhere in the road to 19.7 I can probably pick that up.

• create a CA (or use an existing one)
• create a certificate for the webui using the CA above
• configure the web ui to use this CA (/system_advanced_admin.php)
• create another cert (using the same CA) for your browser

Then edit /var/etc/lighty-webConfigurator.conf

Search $SERVER["socket"] == "0.0.0.0:443" { } and then goto the line below ssl.ca-file = "/var/etc/ca.pem"

My setup is using a Root CA, an intermediate Server CA and an intermediate User CA (all managed by OPNsense).
The Server CA signed the Web UI certificate and the User CA signed the user certificate (also used for VPN).

The lighttpd ssl.ca-file (/var/etc/ca.pem) seems to contain the Root CA and the intermediate Server CA certificates (it would only need to contain the intermediate Server CA certificate to be able to send this one out to the browser) and not the intermediate User CA one (obviously).
Thus, client certificate auth would not work for my scenario.

lighttpd seems to have inadequate configuration options to distinguish between a) intermediate CA certificates needed when sending out its server certificate and b) trusted CA certificates for client certificate verification: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

Tying to use the available options would mean it would be necessary to combine all intermediate and root certificates needed when a) sending out the server certificate and b) verifying client certificates.

lighttpd SSL support is (to me) poorly implemented (https://redmine.lighttpd.net/issues/1288, https://redmine.lighttpd.net/issues/2694) and documentation is even worse.

I really don't want to use this cr^Wstuff in the state that it currently is :(

P.S.: Okay, I brought myself to open up a lighttps ticket about the issue: https://redmine.lighttpd.net/issues/2937

ok, we'll leave it for now then.

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.