[jdev] x509 client authorization

Ian Stokes-Rees i.stokes-rees1 at physics.ox.ac.uk
Mon Mar 29 12:26:17 CST 2004

Justin Karneges wrote:
> I have been able to authenticate using x509, but between servers.  It's the 
> same for clients though.

OK, it seems like this happens automatically already, so I think I have 
done this as well, just by providing a combined public/private key PEM 
file to jabberd2.

> If you do it, just make sure you follow the standard, which is to provide the 
> certificate via the TLS handshake, and use the SASL "EXTERNAL" mechanism to 
> signify that the cert is to be used for authentication.  This is all part of 
> XMPP 1.0.

I understand that in principal, but the details are the important part. 
  I imagine the c2s.xml <authreg> section will require a number of 
changes, and possibly also the sm.xml <module> chains.  On the client 
side it is no longer just a matter of establishing an encypted SSL link 
between two hosts, but actually verifying the certificate trust chain 
back to a trusted CA.

Furthermore, I don't quite see how the whole thing fits together since 
servers are trusted to forward messages.  Without some fixed mapping of 
CA certificate to (probably a set of) JID (sort of like a CA signing 
policy file), and cryptographically signed jabber messages, I would have 
thought it was very easy for a rogue (or hacked) server to fabricate 
messages, since there is no user-user (or client-client, or JID-JID) 
certificate authentication.

> You mention jabberd, but not the version.  You'll have better luck with this 
> in jabberd2, as it already supports XMPP 1.0.  I don't recommend trying to 
> retrofit this onto jabberd1.

I'm using jabberd2 already on the server side, and jabberpy-0.5 on the 
client side, although I'll look at xmpppy-0.1 if that is a better idea.


Ian Stokes-Rees              i.stokes-rees at physics.ox.ac.uk
Particle Physics, Oxford     http://www-pnp.physics.ox.ac.uk/~stokes

More information about the JDev mailing list