[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS client certs, SASL EXTERNAL

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: TLS client certs, SASL EXTERNAL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 26 Jan 2002 14:20:01 -0800
Cc: "Pierangelo Masarati" <masarati@aero.polimi.it>, <openldap-devel@OpenLDAP.org>
In-reply-to: <006201c1a6b3$3bba33a0$1001a8c0@fiddle.symas.com>
References: <200201261454.g0QEsv421744@server.aero.polimi.it>

At 01:48 PM 2002-01-26, Howard Chu wrote:
>> -----Original Message-----
>> From: Pierangelo Masarati [mailto:masarati@aero.polimi.it]
>> > succeed. It seems to me that we need a middle "client cert is
>> optional" state
>> > in here, so that the server can ask for a client cert but will not
>> complain if
>> > none is available. Or we can just change the default state to
>> "always ask for
>> > optional client cert" for simplicity. Opinions, anyone?
>>
>> I'd prefer to have a third option (say "ASK", or "no" "yes" "critical"
>> for consistency with the tls options), to allow more fine grain
>> configuration.  I wonder what solution breaks the least number
>> of installations :)
>
>OK, I agree with that. I'm actually looking at 4 options now:
>        no/never - same as old default, the server never asks for a client cert.
>        allow - server asks. If a bad cert is received, ignore it.

I'm not sure this about this one, that behavior might be
counter to the specs (though I haven't checked).  Anyways,
I think the client should be told its cert is bad.  Also,
as some clients blindly go on, killing the connection is a
good here.  However, as long as appropriate security
considerations are noted in the documentation, I can live
with it.

>        try - server asks. If a bad cert is received, kill connection.


>        demand - same as "yes" - Must receive a valid cert.
>
>In the "allow" and "try" cases, it is OK if the client has no cert. The
>difference is just when a cert is presented. In the try case, if a bad cert is
>received, fail the connection. In the allow case, if a bad cert is received,
>just proceed as if no cert was received. This may be useful when a foreign
>client has its own cert but the server doesn't recognize it; the normal
>verification behavior would prevent the foreign client from ever using TLS with
>the server.
>
>The OpenSSL library directly supports the never/try/demand conditions. It will
>take some tweaking in the callback routine to support the allow case.
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: TLS client certs, SASL EXTERNAL
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: TLS client certs, SASL EXTERNAL
  - From: Pierangelo Masarati <masarati@aero.polimi.it>
- RE: TLS client certs, SASL EXTERNAL
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: TLS client certs, SASL EXTERNAL
Next by Date: Re: BDB entry cache submission
Index(es):
- Chronological
- Thread