-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Hi Martin,

On 31.10.2015 16:10, hamburg-barmbek@gmx.de wrote:

We really need authentication of individual TLS connections (as first step of authentication), because our main problem is that some of this web applications are quite old and the server software reached the end of support date already a long time ago.

Thank you for explaining your business case. It enables investigation of less obvious solutions.

Is it possible to configure client browsers to use a proxy to connect the sensitive servers? Maybe you could use proxy authentication instead of TLS authentication or web application.

What about using a VPN for the sensitive servers?

But client certificates are no option in this case. It has to be TOTP.

Unfortunately SSL/TLS was never designed for interactive authentication.

Why exactly you cannot use client certificates? Maybe there is something I can do about it.

So your suggestion is to use some dedicated reverse HTTPS proxy in combination with i.e. privacyIDEA, right?

Right. My first guess would be chaining: - - apache2 - - mod_proxy - - mod_authnz_external - - pwauth - - libpam-google-authenticator

I guess this will get much more complicated then the client certificate based https-authentification based on stunnel before

Indeed.

Best regards, Mike