[jdev] x509 client authorization
Ian Stokes-Rees
i.stokes-rees1 at physics.ox.ac.uk
Mon Mar 29 12:26:17 CST 2004
Justin Karneges wrote:
> I have been able to authenticate using x509, but between servers. It's the
> same for clients though.
OK, it seems like this happens automatically already, so I think I have
done this as well, just by providing a combined public/private key PEM
file to jabberd2.
> If you do it, just make sure you follow the standard, which is to provide the
> certificate via the TLS handshake, and use the SASL "EXTERNAL" mechanism to
> signify that the cert is to be used for authentication. This is all part of
> XMPP 1.0.
I understand that in principal, but the details are the important part.
I imagine the c2s.xml <authreg> section will require a number of
changes, and possibly also the sm.xml <module> chains. On the client
side it is no longer just a matter of establishing an encypted SSL link
between two hosts, but actually verifying the certificate trust chain
back to a trusted CA.
Furthermore, I don't quite see how the whole thing fits together since
servers are trusted to forward messages. Without some fixed mapping of
CA certificate to (probably a set of) JID (sort of like a CA signing
policy file), and cryptographically signed jabber messages, I would have
thought it was very easy for a rogue (or hacked) server to fabricate
messages, since there is no user-user (or client-client, or JID-JID)
certificate authentication.
> You mention jabberd, but not the version. You'll have better luck with this
> in jabberd2, as it already supports XMPP 1.0. I don't recommend trying to
> retrofit this onto jabberd1.
I'm using jabberd2 already on the server side, and jabberpy-0.5 on the
client side, although I'll look at xmpppy-0.1 if that is a better idea.
Cheers,
Ian
--
Ian Stokes-Rees i.stokes-rees at physics.ox.ac.uk
Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes
More information about the JDev
mailing list