-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Martin, On 31.10.2015 16:10, hamburg-barmbek@gmx.de wrote:

We really need authentication of individual TLS connections (as first step of authentication), because our main problem is that some of this web applications are quite old and the server software reached the end of support date already a long time ago.

Thank you for explaining your business case. It enables investigation of less obvious solutions. Is it possible to configure client browsers to use a proxy to connect the sensitive servers? Maybe you could use proxy authentication instead of TLS authentication or web application. What about using a VPN for the sensitive servers?

But client certificates are no option in this case. It has to be TOTP.

Unfortunately SSL/TLS was never designed for interactive authentication. Why exactly you cannot use client certificates? Maybe there is something I can do about it.

So your suggestion is to use some dedicated reverse HTTPS proxy in combination with i.e. privacyIDEA, right?

Right. My first guess would be chaining: - - apache2 - - mod_proxy - - mod_authnz_external - - pwauth - - libpam-google-authenticator

I guess this will get much more complicated then the client certificate based https-authentification based on stunnel before

Indeed. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJWNQAtAAoJEC78f/DUFuAULX4P/3LEnkeBALAE4TXAWxm1aA69 0jEW/FZFAgfj1ev5ckZyH9kmwBqqZag+3IM41m46/LQ3YrhQwCs6WfoMUQcxB+vL 9LF+EF8dAmNcWHs2DQ662MjHMHBflnBYB8qy2HspEnSvXBZTWHTGLh0lJJCqS8wR WzHorzynpZDbvvav5NgvSWsDEq2xf+zeQnjdMf77zfrs7z9Ki79AJnybo5FunO3K OZ4iQsQbkGrLtB81Wy15CZtZurD/GYKoh2JN2vcMnLgtFQSfxgP/1i/YngvjRkxA bUJ+DegToo4tvD/bsbgEt0wbfhUJZAArJ76/bWf1STaiBlhKx1Y7JbJkOAnebG52 Q46mtOawe5GARFvobXMHXNh1E1NWlTPrpWg0QdlDlQhhkLQqiv6eZzeA/HzouyHY Xl2hoM+ryKHzVp+ZwMMtNoZC9cx8yftV9aH7yZTazqnx113tx3BWEdLxdNSmlpY8 wjkMn02jgN0GcVu8n2l/Q3UbCh027HjO8mCpdh25uSc3b6odexIsN7q2CBE/WYZt ThASY/tYUeEwlNyAODmAv5j32Lri6b1xxrVBKKBiLhIGWB+7UYXe1ZktYuEfFJEb 8ql7jKKt0d3lnROVI3y9+nHWVGcvDaLhy3l1WbG+SB7aTWdpXylMw8twm6/8KnAA W6Y7/2zpN9VN3WcXYUeV =9YeD -----END PGP SIGNATURE-----