[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [iaik-ssl] Hw to do client authentication only?
Whlie it is true that the SSL protocol itself cannot force the client to
authenticate itself, you can augment the handshaking phase to effectively
force the client to authenticate itself.
Take a look at the iaik.security.ssl.ServerTrustDecider. This is called
whenever a new session is established on your server. If the client has not
presented a certificate chain or the chain is not trusted, return false.
The end result: the client is forced to authenticate itself.
Server Platform Group
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org]On Behalf Of Polar Humenn
> Sent: Wednesday, September 06, 2000 8:43 AM
> To: Gerald Brose
> Cc: email@example.com
> Subject: Re: [iaik-ssl] Hw to do client authentication only?
> Hi Gerald,
> This is the biggest problem we have with SSL being a security protocol.
> The client cannot be forced to authenticate.
> You should see the hoops we have to go through for CORBA security (CSIv2)
> because of SSL. SSL is chosen because people thought that CORBA SECIOP was
> too complicated.
> The biggest problem we have is that SSL doesn't follow the GSS-API, and it
> doesn't force client authentication. Also, it's so limited that you cannot
> stick privileges in it.
> It's a broken bicycle that shouldn't be allowed to be on the road. But
> apparently it's a pretty color and everybody likes it. And of course,
> there is nothing else mainstream. We'll ride it with flat tires if we have
> Good luck,
> On Wed, 6 Sep 2000, Gerald Brose wrote:
> > Is it possible to set up SSL such that only the client
> > is authenticated, i.e. that only clients but not servers
> > need to provide certificates?
> > Setting the cipher suite to allow DH_anon does not work
> > because in this case the client cannot be authenticated.
> > Thanks, Gerald Brose.
> > --
> > Gerald Brose, Mail: firstname.lastname@example.org
> > FU Berlin (for PGP key see:) http://www.inf.fu-berlin.de/~brose
> > Institut f. Informatik Ph-one: (++49-30) 838-75112
> > Berlin, Germany Ph-ax: (++49-30) 838-75109
> > --
> > Mailinglist-archive at
> To unsubscribe send an email to email@example.com with the folowing
content: UNSUBSCRIBE iaik-ssl
Polar Humenn Adiron, LLC
mailto:firstname.lastname@example.org 2-212 CST
Phone: 315-443-3171 Syracuse, NY 13244-4100
Fax: 315-443-4745 http://www.adiron.com
To unsubscribe send an email to email@example.com with the folowing content:
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
To unsubscribe send an email to firstname.lastname@example.org with the folowing content: UNSUBSCRIBE iaik-ssl