[GitHub] [james-project] ottoka commented on a change in pull request #750: JAMES-3672 : Support TLS authentication via client certificate

Mon, 22 Nov 2021 00:40:26 -0800 


ottoka commented on a change in pull request #750:
URL: https://github.com/apache/james-project/pull/750#discussion_r754048931



##########
File path: 
server/apps/distributed-app/docs/modules/ROOT/pages/configure/ssl.adoc
##########
@@ -84,6 +84,32 @@ Please note `JKS` keystore format is also supported (default 
value if no keystor
 </tls>
 ....
 
+
+=== Client authentication via certificates
+
+When you enable TLS, you may also configure the server to request a client 
certificate for authentication:
+
+....
+<tls socketTLS="false" startTLS="true">
+  <keystore>file://conf/keystore</keystore>
+  <keystoreType>JKS</keystoreType>
+  <secret>yoursecret</secret>
+
+  <clientAuth required="true">
+    <truststore>file://conf/truststore</truststore>
+    <truststoreType>JKS</truststoreType>
+    <truststoreSecret>yoursecret</truststoreSecret>
+  </clientAuth>
+</tls>
+....
+
+With `required="true"`, the server refuses any client connections that do not 
include a client certificate.
+
+With `required="false"`, the servers requests an optional client certificate, 
but also accepts connections without one.

Review comment:
       It is one of the options you have in the TLS handshake protocol. The 
idea is that servers could allow different levels of access whether they 
decided to authenticate or not.
   Right now this does not make much sense in James. But someone could 
implement a way to access the client certificate (if any) from the protocol 
session, e.g. to implement SASL EXTERNAL authentication mode. Or even from 
mailets to do whatever.
   Now that I think about it, it is probably easier to just remove the option 
for now; if someone needs it later they can easily add it again.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to