[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Bryan Stansell bryan@conserver.com
Mon, 1 Nov 2010 23:41:27 GMT
On Mon, Nov 01, 2010 at 06:19:28PM -0400, Thor Simon wrote: > I don't quite understand Conserver's SSL support. What is the purpose > of specifying a certificate for a client, if the server cannot use it to > identify a particular user? Well, if you provide the certificate, it needs to succeed it's authenticity check. If you don't provide one at all, it falls back to an anonymous cipher (so, it's encrypted, but not authenticated and subject to man-in-the-middle). > How do I tell the client what certificate to expect (or what CA to expect > to have signed it) for the server? If there's no way to do that, then > there is no real protection from using SSL, since it is trivial to conduct > a man-in-the-middle attack using any certificate that one happens to have > handy... There's no hook for specifying a different CA or CA repository. It uses whatever openssl was built with...and if you have the CA in your global repository, it should succeed and be fine. If you don't it should fail with a validation error. So, to "summarize": - No certificates on client or server - anonymous ciphers are used and you get encryption without authentication - Server-side certificate only - client must validate certificate with global openssl CA store - server doesn't require or receive a client certificate, and is fine with that - Client-side certificate only - server must validate certificate with global openssl CA store - client doesn't require or receive a server certificate, and is fine with that - Server-side and client-side certificate - client must validate certificate with global openssl CA store - server must validate certificate with global openssl CA store Adding a hook to require the client certificate is the potentially missing piece - so you can force clients to provide a certificate. Adding a hook to override the CA store would possibly be useful as well. I *think* if you modify conserver/main.c and replace "SSL_VERIFY_PEER" with "SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT" you get the client certificate enforcement. It needs to be tested and a configuration hook provided if so. But perhaps it's enough for you to get the config you'd like right now. Bryan