On Wed, 12 Jan 2011, emilien...@eaton.com wrote: > If you think that login/password is enought to authenticate clients, I can > remove SSL client authentication parts. It is not a problem.
If an attacker tries to get the password via man-in-the-middle, then the client connect will fail because the server authentication will fail. An attacker is prevented from obtaining the password via eaves-dropping by the SSL encryption. An attacker can get the password via other means, of course, but those same means could obtain the client private key as well. (Unless the other means is reading the password off a sticky note - the private key wouldn't fit.) One advantage to client certs is that it avoids weak passwords - but the client could protect their private key with a weak password. You could also assign random strong passwords to clients to avoid weak passwords. In general, given an authenticated server and secure connection, any security problems with client password authentication also apply to the private key needed for client cert authentication. -- Stuart D. Gathman <stu...@bmsi.com> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154 "Confutatis maledictis, flammis acribus addictis" - background song for a Microsoft sponsored "Where do you want to go from here?" commercial. _______________________________________________ Nut-upsdev mailing list Nut-upsdev@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev