On Monday 29 March 2004 10:26 am, Ian Stokes-Rees wrote: > Justin Karneges wrote: > > I have been able to authenticate using x509, but between servers. It's > > the same for clients though. > > OK, it seems like this happens automatically already, so I think I have > done this as well, just by providing a combined public/private key PEM > file to jabberd2.
Actually, I don't think jabberd2 supports server-to-server TLS. > I understand that in principal, but the details are the important part. > I imagine the c2s.xml <authreg> section will require a number of > changes, and possibly also the sm.xml <module> chains. On the client > side it is no longer just a matter of establishing an encypted SSL link > between two hosts, but actually verifying the certificate trust chain > back to a trusted CA. Clients should already be verifying the server's certificate in this way, else they are insecure and/or broken. If you want the client to authenticate to the server via a certificate (the reverse situation), then this means the _client_ has to present a certificate, and the _server_ has to verify it. > Furthermore, I don't quite see how the whole thing fits together since > servers are trusted to forward messages. Without some fixed mapping of > CA certificate to (probably a set of) JID (sort of like a CA signing > policy file), and cryptographically signed jabber messages, I would have > thought it was very easy for a rogue (or hacked) server to fabricate > messages, since there is no user-user (or client-client, or JID-JID) > certificate authentication. Indeed, TLS is only between XML streams, not Jabber endpoints. For end-to-end security, see your other thread on standards-jig. -Justin _______________________________________________ jdev mailing list [EMAIL PROTECTED] https://jabberstudio.org/mailman/listinfo/jdev
