I am evaluating Xibo and working to secure it. I have the CMS running on Nginx with server and client SSL enabled.
I am able to access the CMS console from a browser with server and client certificates enabled. (See above.)
The Windows player running on the same Windows machine (Windows 7 Professional) I am accessing the CMS from is not able to connect.
Changing ssl_verify_client on the Nginx server from “on” to “optional” allows the Windows player to connect successfully. This and the Nginx debug logs inform me that the player is not sending the client certificate.
Is there some additional configuration which needs to be done to allow the Player to send the client certificate?
Google suggests that client-side SSL certificates require code modifications in the Player to pass those in to the web service when it makes those calls. We don’t have anything along those lines on the roadmap I’m afraid.
Normal server SSL is already supported out of the box (and encouraged!)
Hopefully this is something that can be put on the roadmap… Perhaps in the Python version of the Player.
My interest in using client certificates is not only for the server authentication and the encrypted channel, but also so the clients identify themselves to the server using an individual and stronger means than the token. This way I can be assured of the identity of the client which is being served potentially sensitive business metrics.
