[BEEPwg] TLS with mutual authentication

Lei Zhang lzhang@juniper.net
Wed, 26 May 2004 15:37:28 -0700


Dong Xin wrote:

>Hi
>
>	My question is how to start TLS between server and client with 
>mutual authentication? How can I specify certificate for client and 
>server side? 
>
>Thanks,
>Dong
>
I think the RFC's mentioning of using serverName to specify server side 
certificate is really not a good solution.  This is what I plan to do 
for my BEEP implementation:

-  the server can take a command line option that points to a X.509 
certificate
-  on the client side, in order to really verify the certificate, the 
server certificate must be copied to the client machine, then the client 
machine can take a command line option that points to this known 
server-side certificate
-  client starts TLS channel, SSL handshake starts, the server sends the 
certificate and the client verifies it
-  the client can take another command line option that points to a 
local certificate; if this is specified, then client certificate will be 
verified by server (the client-side certificate must be loaded on the 
server machine as pre-requisite)

By doing this, it seems the only need for further authentication using 
SASL would be access-control.

Sane?
Lei