[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL - why/how?





--On Monday, July 05, 2004 2:56 PM +0200 Turbo Fredriksson <turbo@bayour.com> wrote:

"Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

>> From what I could gather, nothing else accepts a SSL >> certificate as authentication method, so other than the LDAP >> connection, the authentication mechanism is 'useless'... What >> did I miss?

    Quanah> I'm not quite sure what you mean here by "nothing else".
    Quanah> Lots of software bits use cert authentication.

Such as? I couldn't find any (and yes, I checked google - obviosly
not with the correct search string :)...

Well, for one example, we use cert authentication with our XML Document service, that runs via Apache and Tomcat. The cert is presented to the Apache server, which validates the cert, and then allows access to the XML document.


Example from the Apache conf file:

<Location /doc>
AuthType Cert
# Remove EXP-RC2-CBC-MD5 for greater security
SSLCipherSuite DES-CBC3-MD5:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-MD5:RC4-SHA:RC2-CBC-MD5:EXP-RC2-CBC-MD5
#SSLOptions +StdEnvVars +OptRenegotiate +ExportCertData
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient require
SSLVerifyDepth 1
AllowOverride None
</Location>


Other examples:

<http://jetty.mortbay.org/jetty/faq?s=400-Security&t=Client%20Certificates>
<http://www.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule>

Or, you can search for "cert authentication" at Google, it comes back fairly verbose.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html