[jdev] x509 client authorization
justin-keyword-jabber.093179 at affinix.com
Mon Mar 29 14:15:23 CST 2004
On Monday 29 March 2004 10:26 am, Ian Stokes-Rees wrote:
> Justin Karneges wrote:
> > I have been able to authenticate using x509, but between servers. It's
> > the same for clients though.
> OK, it seems like this happens automatically already, so I think I have
> done this as well, just by providing a combined public/private key PEM
> file to jabberd2.
Actually, I don't think jabberd2 supports server-to-server TLS.
> I understand that in principal, but the details are the important part.
> I imagine the c2s.xml <authreg> section will require a number of
> changes, and possibly also the sm.xml <module> chains. On the client
> side it is no longer just a matter of establishing an encypted SSL link
> between two hosts, but actually verifying the certificate trust chain
> back to a trusted CA.
Clients should already be verifying the server's certificate in this way, else
they are insecure and/or broken.
If you want the client to authenticate to the server via a certificate (the
reverse situation), then this means the _client_ has to present a
certificate, and the _server_ has to verify it.
> Furthermore, I don't quite see how the whole thing fits together since
> servers are trusted to forward messages. Without some fixed mapping of
> CA certificate to (probably a set of) JID (sort of like a CA signing
> policy file), and cryptographically signed jabber messages, I would have
> thought it was very easy for a rogue (or hacked) server to fabricate
> messages, since there is no user-user (or client-client, or JID-JID)
> certificate authentication.
Indeed, TLS is only between XML streams, not Jabber endpoints. For end-to-end
security, see your other thread on standards-jig.
More information about the JDev