repoze.who X509 plugin¶
This plugin enables
repoze.who to identify (not completely
authenticate) according to SSL client certificates. It can check the fields
(attribute types) in the subject distinguished name.
It supports “out of the box”
mod_wsgi is also activated
in Apache, and Nginx SSL functionality. However, this documentation also
includes configuration examples for both Apache and Nginx for when both are
working as reverse proxies.
This plugin was developed independently of the repoze project (copyrighted to Agendaless Consulting, Inc.).
Installing this plugin¶
The minimum requirements for installation are
python-dateutil. If you want to run the tests, then
Nose and its coverage plugin will also be installed. It can be installed with
If you want to use the
IIdentifier object, then you can build it as
follows, and the pass it to the
identifiers parameter of
from repoze.who.plugins.x509 import X509Identifier identifer = X509Identifier('SSL_CLIENT_S_DN')
The required parameter of
X509Identifier is the WSGI environment
key of the “distinguished name” of the client certificate subject. By default
the credentials are based on the “Email” field, but it can be customized as
from repoze.who.plugis.x509 import X509Identifier identifier = X509Identifier('SSL_CLIENT_S_DN', login_field='CN')
In this case it will try to get the credentials from the common name of the client certificate subject.