[Freeipa-devel] SSL
Rob Crittenden
rcritten at redhat.com
Thu Jul 12 14:44:02 UTC 2007
Simo Sorce wrote:
> On Thu, 2007-07-12 at 10:23 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2007-07-10 at 17:11 -0400, Rob Crittenden wrote:
>>>> So I was thinking about the XML-RPC portion of this.
>>>>
>>>> One thing we'll be doing is setting and resetting user passwords. So we
>>>> should use SSL to protect them, if for no other reaosn.
>>>>
>>>> So:
>>>>
>>>> 1. I assume we'll have to use OpenSSL. If there are Python NSS bindings
>>>> I couldn't find them. OLPC may do this work for us
>>>> (http://dev.laptop.org/ticket/855)
>>>>
>>>> 2. How will we manage trust between the gui and command-line clients and
>>>> XML-RPC server?
>>> IF we are going to use kerberos, can't we just use GSSAPI to encrypt
>>> traffic?
>> I can't find any information on how to do this (GSSAPI over HTTP). Do
>> you have any pointers?
>
> IIRC RFC4559.
>
> Simo.
>
Thanks
This RFC defines authentication (the Negotiate mechanism).
Further in the document is this:
6. Security Considerations
The SPNEGO HTTP authentication facility is only used to provide
authentication of a user to a server. It provides no facilities for
protecting the HTTP headers or data including the Authorization and
WWW-Authenticate headers that are used to implement this mechanism.
Alternate mechanisms such as TLS can be used to provide
confidentiality.
I did find an expired draft (from 2001) that added SASL support to
HTTP/1.1 via the Upgrade header but then any clients that wanted to use
this would need to add this feature as well.
I wonder if there is a way to have our clients automatically download
the CA certificate after authenticating. It won't impede others from
using our XML-RPC server, they will just need to manually install the
CA. That or we install the CA on client machines as part of our client
configuration mechanism.
The on-the-fly method might look something like:
Make SSL connection
If fail due to lack-of-trust:
Authenticate to HTTP listener using Kerberos
If auth-fails:
print nice error message
else:
download CA cert
Restart request over HTTPS
Continue
The downside is that this adds a fair bit of complexity and requires 2
listeners.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070712/8cdd9a77/attachment.bin>
More information about the Freeipa-devel
mailing list