novnc · hoehermann · Aug 29, 2017 · Aug 29, 2017 · Sep 3, 2017 · Sep 3, 2017
diff --git a/docs/websockify.1 b/docs/websockify.1
@@ -97,11 +97,13 @@ The wstelnet.html page demonstrates a simple WebSockets based telnet client.
 
 .SS Use client certificate verification
 
-The --verify-client makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication.
+This feature requires Python 2.7.9 or newer or Python 3.4 or newer.
+
+The --verify-client option makes the server ask the client for a SSL certificate. Presenting a valid (not expired and trusted by any supplied certificate authority) certificate is required for the client connection. With -auth-plugin=ClientCertCNAuth, the client certificate can be checked against a list of authorised certificate users. Non-encrypted connection attempts always fail during authentication.
 
 Here is an example of a vncsevrer with password-less, certificate-driven authentication:
 
-`./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertAuth --auth-source='[email protected] Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None`
+`./websockify 5901 --cert=fullchain.pem --key=privkey.pem --ssl-only --verify-client --cafile=ca-certificates.crt --auth-plugin=ClientCertCNAuth --auth-source='[email protected] Joe User9824510' --web=noVNC/ --wrap-mode=ignore -- vncserver :1 -geometry 1024x768 -SecurityTypes=None`
 
 The --auth-source option takes a white-space separated list of common names. Depending on your clients certificates they can be verified email addresses, user-names or any other string used for identification.
 

diff --git a/websockify/auth_plugins.py b/websockify/auth_plugins.py
@@ -82,7 +82,7 @@ def authenticate(self, headers, target_host, target_port):
         if origin is None or origin not in self.source:
             raise InvalidOriginError(expected=self.source, actual=origin)
 
-class ClientCertAuth(object):
+class ClientCertCNAuth(object):
     """Verifies client by SSL certificate. Specify src as whitespace separated list of common names."""
 
     def __init__(self, src=None):

diff --git a/websockify/websocketproxy.py b/websockify/websocketproxy.py
@@ -407,7 +407,8 @@ def websockify_init():
     parser.add_option("--ssl-target", action="store_true",
             help="connect to SSL target as SSL client")
     parser.add_option("--verify-client", action="store_true",
-            help="require encrypted client to present a valid certificate")
+            help="require encrypted client to present a valid certificate "
+            "(needs Python 2.7.9 or newer or Python 3.4 or newer)")
     parser.add_option("--cafile", metavar="FILE",
             help="file of concatenated certificates of authorities trusted "
             "for validating clients (only effective with --verify-client). "