I've configured my Apache/Phabricator installation to verify clients using signed SSL certificates. I was able to get everything working with the web interface but I hit a snag when trying to use arcanist. The problem is that there is a configuration option for accepting a self-signed CA (https.cabundle) but there are no options for specifying a client certificate to use with curl.
I wrote my own patch to solve the problem so in the meantime I can keep reapplying it to official phab updates, but it'd be nice to see the feature make its way into the official code base.
My solution was to create new arc config keys allowing the user to specify their client certificate filepath. Making it work on both Linux and OS X macOS brought about its own complications. The curl running on macOS is able to parse .p12 files whereas I wasn't able to get curl on my Linux (Ubuntu 16.04) to parse my .p12 file so I had to extract the certificate and key manually.
In an effort to create a platform agnostic solution, I created the following arcanist configuration keys which map to the indicated CURLOPT_ in php:
- https.sslcert → CURLOPT_SSLCERT
- Linux: client.crt the users public certificate file path
- macOS: client.p12 the users .p12 package file path
- https.sslcertpassword → CURLOPT_SSLCERTPASSWD
- macOS only; the users import password for their .p12 file in plaintext
- https.sslkey → CURLOPT_SSLKEY
- Linux only; client.key the users private key file path
It was a quick solution that got me up and off the ground. I'm confident you can come up with something more elegant.