Mutual authentication protocol for HTTP

mod_auth_mutual: An Apache extension module

  • The current implementation of protocol server experiment is based on WEBrick. The following information is obsolete.

"mod_auth_mutual" is an Apache 2.2/2.3 extension module implementing the proposed Mutual authentication protocol.


Source code archive

This archive is digitally signed using jarsigner from Sun JDK. Alternatively, you can verify it using OpenPGP signature signed by Yutaka Oiwa.)

This version implements draft protocol version "draft-07"/"draft-08". User clients should also upgraded to support this protocol version.

Usage Apache extension shared library

After compilation, put generated ".libs/" into an appropriate path, and add one line to apache.conf:

 LoadModule auth_mutual_module /path/to/

In .htaccess, add a configuration like following:

 AuthType Mutual
 AuthName "MutualTest"
 AuthUserFile "/path/to/.htmutualpasswd"
 AuthMutualAlgorithm iso-kam3-dl-2048-sha256
 AuthMutualHost ""
 AuthMutualPath "/"
 Require valid-user
  • AuthName corresponds to "realm" in the protocol.
  • AuthMutualHost corresponds to "host". Specify both the hostname and port. It must be equal to the host name visible to users (otherwise, the authentication will silently fail).
  • AuthUserFile specifies the filename of the password DBs generated by "htmutual " command contained in the archive.
  • AuthMutualAlgorithm specifies one of the algorithms in the specification to be used. Read MutualTestFox release notes carefully before enabling any EC-based algorithms.


When you are using per-user authorization control (other than "Require valid-user") and you are using Apache 2.2 or some old 2.3 versions, you need to apply an included patch to the Apache server. (There is a problem when an authorization has rejected after an authentication succeeds. It is fixed in the current 2.3 development versions of the upstream.)

htmutual: Password DB generator

"Htmutual" is similar to htpasswd command, modified for the Mutual authentication protocol.

 htmutual [options] [pwd-file] [algorithm] [host] [realm] [username]
  • The [algorithm] must be one of the protocol tokens specified in the specification. The list of supported protocols are displayed when htmutual is invoked without arguments.
  • The [host] correspond to "auth-domain" in the protocol. Currently, it should be the hostname of the server (FQDN only, without port numbers).
  • The [realm] correspond to "realm".
  • [Option]s are almost equivalent to htpasswd, such as "-b", "-c", and "-n".

The password data generated by this command is processed with a special one-way function.


This software is an output of the joint research between Yahoo! Japan and RCIS AIST, and provided from RCIS, AIST. It is implemented by Lepidum, Inc.

Contact e-mail addresses are as follows:

  • about the protocol:
  • about the implementation: