Re: Features for 1.1 release

Sun, 08 Jul 2007 10:50:24 -0700 

Hi Legolas

Apache Synapse is a good project and I am planing to use synapse for a
project and I want to vote for minor release model that was suggested, I
mean it would be good to have 1.0.1, 1.0.2, and so on.
Cool.. I agree and I think we will be heading in that path soon with a 1.0.1 with some minor fixes and performance improvements etc. 
A feature that I want to vote for is mutual authentication using digital
certifications (SSL mutual authentication).
Let me explain what do i mean by ssl mutual authentication:
with my reading and researches   it means that we have a certDB in server
side (Synapse side) and it contain one or more CA's certifications and in
client side we have a certification signed by one of those CA's . now when a
client want to connect to Synapse Synapse can check to see whether the
client has a certification signed by one of those CA's which are present in
its certDB or not. if it is singed by one of them then Synapse will answer
otherwise it will not.
We already do have this support in the 1.0 release, but this is disabled by default. If you setup your certificate stores (defaults are trust.jks and identity.jks) properly and uncomment the "<parameter name="SSLVerifyClient">require</parameter>" from the axis2.xml's https transport listener configuration, it will do exactly what you have explained. 
Also there should be some mechanism not to allow all clients with such
certification to connect to the server (I do not know how we should do
this).
I agree.. let me check with the HttpCore project how this may be possible.. thanks for suggesting this 
Also In client side we should have some mechanism to check and see whether
we are connecting to a server  which has correct certification or not (I
think we can do this by assigning a certification to synapse and adding the
issuer CA which issued synapse certification to client JKS file), is it
correct?
Right now we support hostname verification. Again this is commented by default on the axis2.xml's https transport sender configuration. "<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>" If you specify strict, the host name verification would be performed. 

asankha

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to