I have been able to authenticate using x509, but between servers. It's the same for clients though.
OK, it seems like this happens automatically already, so I think I have done this as well, just by providing a combined public/private key PEM file to jabberd2.
If you do it, just make sure you follow the standard, which is to provide the certificate via the TLS handshake, and use the SASL "EXTERNAL" mechanism to signify that the cert is to be used for authentication. This is all part of XMPP 1.0.
I understand that in principal, but the details are the important part. I imagine the c2s.xml <authreg> section will require a number of changes, and possibly also the sm.xml <module> chains. On the client side it is no longer just a matter of establishing an encypted SSL link between two hosts, but actually verifying the certificate trust chain back to a trusted CA.
Furthermore, I don't quite see how the whole thing fits together since servers are trusted to forward messages. Without some fixed mapping of CA certificate to (probably a set of) JID (sort of like a CA signing policy file), and cryptographically signed jabber messages, I would have thought it was very easy for a rogue (or hacked) server to fabricate messages, since there is no user-user (or client-client, or JID-JID) certificate authentication.
You mention jabberd, but not the version. You'll have better luck with this in jabberd2, as it already supports XMPP 1.0. I don't recommend trying to retrofit this onto jabberd1.
I'm using jabberd2 already on the server side, and jabberpy-0.5 on the client side, although I'll look at xmpppy-0.1 if that is a better idea.
Cheers,
Ian -- Ian Stokes-Rees [EMAIL PROTECTED] Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes
_______________________________________________ jdev mailing list [EMAIL PROTECTED] https://jabberstudio.org/mailman/listinfo/jdev
