.flake8

@@ -3,7 +3,5 @@ max-line-length = 120
 import-order-style = pycharm
 enable-extensions = G
 ignore =
-    # line break occurred after a binary operator
-    W504,
-    # missing trailing comma in Python 2 only
-    C814
+    W504, # line break occurred after a binary operator
+    C814  # missing trailing comma in Python 2 only

README.md

@@ -89,27 +89,6 @@ the client does not support Kerberos. To use this, configure:
   There should be one `%s` symbol in this string, which will be replaced by the
   username.
 
-### TLS Client Certificate
-
-It's also possible to use client certificates on machines that have them for
-authentication purposes instead of using LDAP or Kerberos. To do this, set
-the environment variable `KRBAUTH_TLS_CERT_AUTH` to `1` or `yes`.
-
-Then, pass the WSGI environment variable `NGINX_SSL_CLIENT_VERIFY` from `nginx`,
-setting it to the value of `$ssl_client_verify`, like this:
-
-```nginx
-uwsgi_param NGINX_SSL_CLIENT_VERIFY "$ssl_client_verify";
-```
-
-You most likely want to make client certificate verification optional if you
-are using it with `nginx-krbauth`:
-
-```nginx
-ssl_client_certificate /path/to/ca.crt;
-ssl_verify_client optional;
-```
-
 ## Example `nginx.conf`
 
 ```nginx

nginx_krbauth.py

@@ -41,7 +41,6 @@ else:
     gssapi_creds = None
 
 COOKIE_SECURE = os.environ.get('KRBAUTH_SECURE_COOKIE', '1').lower() not in ('0', 'no')
-TLS_CERT_AUTH = os.environ.get('KRBAUTH_TLS_CERT_AUTH', '0').lower() in ('1', 'yes')
 
 
 class Context:
@@ -57,10 +56,10 @@ class Context:
         return ''.join([self.ldap_group]).encode('utf-8')
 
 
-def make_cookie(context: Context) -> str:
+def make_cookie(context: Context) -> bytes:
     message = timestamp.pack(int(time.time()) + DURATION) + os.urandom(RANDOM_SIZE) + context.bytes()
     signature = hmac.new(HMAC_KEY, message, hmac_digest).digest()
-    return base64.b64encode(signature + message).decode()
+    return base64.b64encode(signature + message)
 
 
 def verify_cookie(cookie: Optional[str], context: Context) -> bool:
@@ -171,21 +170,12 @@ def auth_basic(context: Context, next_url: str) -> Response:
     return auth_success(context, next_url)
 
 
-def check_tls() -> bool:
-    if not TLS_CERT_AUTH:
-        return False
-
-    return request.environ.get('NGINX_SSL_CLIENT_VERIFY') == 'SUCCESS'
-
-
 @app.endpoint('krbauth.auth')
 def auth() -> Response:
     next_url = request.args.get('next', '/')
     context = Context.from_request()
     authorization = request.headers.get('Authorization', '')
 
-    if check_tls():
-        return auth_success(context, next_url)
     if authorization.startswith('Negotiate '):
         return auth_spnego(context, next_url)
     if LDAP_USER_DN and authorization.startswith('Basic '):
@@ -196,6 +186,6 @@ def auth() -> Response:
 
 @app.endpoint('krbauth.check')
 def check() -> Response:
-    if check_tls() or verify_cookie(request.cookies.get('krbauth'), Context.from_request()):
+    if verify_cookie(request.cookies.get('krbauth'), Context.from_request()):
         return Response(status=200)
     return Response(status=401)

setup.py

@@ -7,7 +7,7 @@ with open(os.path.join(os.path.dirname(__file__), 'README.md')) as f:
 
 setup(
     name='nginx_krbauth',
-    version='0.0.4',
+    version='0.0.2',
     py_modules=['nginx_krbauth'],
     install_requires=['flask', 'gssapi', 'python-ldap'],
 
@@ -27,11 +27,11 @@ setup(
         'Operating System :: POSIX :: Linux',
         'Programming Language :: Python',
         'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.5',
+        'Programming Language :: Python :: 3.6',
+        'Programming Language :: Python :: 3.7',
+        'Programming Language :: Python :: 3.8',
         'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
-        'Programming Language :: Python :: 3.12',
-        'Programming Language :: Python :: 3.13',
         'Topic :: Internet :: WWW/HTTP :: HTTP Servers',
         'Topic :: Internet :: WWW/HTTP :: WSGI :: Application',
         'Topic :: Security',