[Vortex] TLS + SASL auth ?

Francis Brosnan Blazquez francis at aspl.es
Thu May 11 15:43:28 CEST 2006 

El jue, 11-05-2006 a las 11:59 +0200, milton.yates at loule.info escribió:
> Hi,
> 

Hi Milton!

All your questions are strongly connected.

> I'm looking for a way to do the use TLS encrypted only channels, then
> authenticate clients. I was thinking of using the SASL support
> provided by vortex.
> 
> Can I use both TLS and SASL? For example by accepting TLS
> negociations, then SASL negociations? I have not yet tested this, any
> thoughts on this?

Sure. In fact, it could be considered, at this moment, the optimal way
to use current TLS+SASL support provided by Vortex, getting both
features: secure the connection and to authenticate the remote peer.

In short:
1) Activate the TLS profile, at the listener side, using:

   - vortex_tls_accept_negociation

2) Activate the SASL profile required, let's say CRAM-MD5, using:

   - vortex_sasl_set_cram_md5_validation

   and then:

   - vortex_sasl_accept_negociation (VORTEX_SASL_CRAM_MD5)

3) Here is the point. Set the CRAM-MD5 validation handler to check first
for the TLS-fixation status for the connection being authenticated,
using: 

   - vortex_connection_is_tlsficated

and them authenticate as normal.

See comments below.

> 
> Another question I have is whether it is possible:
> - for the TLS connected client to actually GET the server certificate
> so that he can actually verify the content and validity of the
> certificate. I did not find anything yet on this in the doc.
> 
> - for the TLS clients to use their own X509 client certificates, and
> for the server to be able to receive these cert and do whatever to
> validate them. This is sort of a TLS certificate-based authentication.
> Is this planned in any way?
> 

As stated above, all these questions are connected mainly because they
seeks to solve the authentication and connection security problem.
Obviously, there are several solutions to perform this. 

At this moment, Vortex allows you to secure the connection in an
anonymous way, pretty much like secure web servers, using the TLS
profile, and then you must use a SASL profile to ensure authentication.

Mutual TLS authentication could give even more secure environments,
providing at the same time both features. However, at this moment, this
isn't still supported. 

I've filled a bug report with this issue [1]

Good day Milton!

> 
> Cheers,
> Milton Yates. 

[1] http://dolphin.aspl.es/cgi-bin/bugzilla/show_bug.cgi?id=316

-- 
Francis Brosnan Blazquez <francis at aspl.es>
Advanced Software Production Line, S.L.

More information about the Vortex mailing list