Re: TLS client certificate pb

[Tony Earnshaw <tonni@billy.demon.nl>]

tir, 2003-03-04 kl. 13:15 skrev Francois Beretti

> I still haven't found how to have tls working with client certificate
> verification...
> 
> Is it required for this to use SASL EXTERNAL ?
> 
> I want to try SASL EXTERNAL, but I need some clarification...
> How does the server map the client certificate with the dn used to
> authenticate ? Where do the certificates have to be stored ? (and do
> they have to be stored ? )

SASL External is simply wire encryption (either ssl or tls). Client
certificates are not needed for it.

Quite another thing is why you haven't been able to make ssl/tls work up
to now. Apart from your putting your certificates in "a daft place",
what you've done should probably work, but there are so many "ifs and
buts." For example, your host's genuine FQDN and what you told Openssl
it was. Relatively easy to see with debug at -1 and Ethereal.

*EVERYTHING* that you are attempting has been fully covered in the mail
archives for this list - back to last July - with discussions, examples,
people (me for example;) saying "hoorah, hoorah, it works" and people
being dragged round to other peoples' way of thinking, etc.

I just think it's such a shame that it's not easier to search there. I
have everything from this list since June/july 2002 on my harddisk.
Searching in my MUA, Ximian's Evolution, is *so* easy and with that
volume of info searching always turns up trumps, if anything has ever
been discussed and solutions found.

Best,

Tony

-- 

Tony Earnshaw

All the world is mad, exceptin thee and me
and even thee's a little queer

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl