[BEEPwg] TLS with mutual authentication
Thu, 27 May 2004 10:44:40 -0500 (CDT)
Thanks a lot, Lei.
However, I am a new user of beepcore. It will be great if you can explain
I think the RFC's mentioning of using serverName to specify server side
> certificate is really not a good solution. This is what I plan to do
> for my BEEP implementation:
> - the server can take a command line option that points to a X.509
What is the "command line option", Is this command line option specified
in config files? what's the format of this specification?
> - on the client side, in order to really verify the certificate, the
> server certificate must be copied to the client machine, then the client
> machine can take a command line option that points to this known
> server-side certificate
> - client starts TLS channel, SSL handshake starts, the server sends the
> certificate and the client verifies it
why does the server need to send the certificate? Is a message signed by
a private key not enough?
> - the client can take another command line option that points to a
> local certificate; if this is specified, then client certificate will be
> verified by server (the client-side certificate must be loaded on the
> server machine as pre-requisite)
> By doing this, it seems the only need for further authentication using
> SASL would be access-control.
I do not know whether the mutual authentication is already supported by
beepcore.tls or we have to implemented it in our application.