From 5de1ece3886cf929ac261aeae4446e2186e1f1ea Mon Sep 17 00:00:00 2001 From: Andrea Lusuardi - uovobw Date: Wed, 30 Sep 2015 19:06:05 +0200 Subject: [PATCH] Update readme for client certificate authentication --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 4f1a440..a4e4d0a 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,9 @@ By default, GoTTY starts a web server at port 8080. Open the URL on your web bro --tls, -t Enable TLS/SSL [$GOTTY_TLS] --tls-crt "~/.gotty.key" TLS/SSL crt file path [$GOTTY_TLS_CRT] --tls-key "~/.gotty.crt" TLS/SSL key file path [$GOTTY_TLS_KEY] +--client, -C Enable Client Certificate [$GOTTY_CLIENT] +--client-ca-file "~/.gotty.ca.crt" Client CA certificate file [$GOTTY_CLIENT_CA_FILE] +--client-verify Enable verification of client certificate [$GOTTY_CLIENT_VERIFY] --index Custom index file [$GOTTY_INDEX] --title-format "GoTTY - {{ .Command }} ({{ .Hostname }})" Title format of browser window [$GOTTY_TITLE_FORMAT] --reconnect Enable reconnection [$GOTTY_RECONNECT] @@ -101,6 +104,8 @@ All traffic between the server and clients are NOT encrypted by default. When yo openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~/.gotty.crt ``` +For added security you can use an SSL/TLS client certificate by enabling it with the `-C` option (this requires the `-t` or `--tls` flag to be set). This requires all client connecting to provide a valid certificate that can be validated (use the `--client-verify` option to make verification mandatory) against the CA file that is provided via the `--client-ca-file` option. + (NOTE: For Safari uses, see [how to enable self-signed certificates for WebSockets](http://blog.marcon.me/post/24874118286/secure-websockets-safari) when use self-signed certificates) ## Sharing with Multiple Clients