ssl client auth update
Lucas Fisher
lucas.fisher at gmail.com
Mon Nov 28 22:33:31 EST 2011
Sure no problem. Yes, that is the branch I have been working on.
XMPP secures its connection with SSL/TLS (same encryption protocol
used for HTTP). My change allow one to use a certificate and key to
authenticate to the XMPP server when using SSL/TLS instead of a
password. While this isn't all that common on the Internet, it is used
in corporate environments where each employee is issued a certificate
that they can use to authenticate to web and other services. It is
similar to using keys with SSH but a different format and slightly
different security model.
This follows these XMPP extensions:
http://xmpp.org/extensions/xep-0257.html,
http://xmpp.org/extensions/xep-0257.html.
XMPP certificate authentication does make use of the SASL external mechanism.
I know of two servers supported certificate authentication: Openfire
and the Jabber Inc (now Cisco) server.
I posted a basic how-to for setting up Openfire:
http://developer.pidgin.im/wiki/Openfire%20Client%20SSL%20Authentication%20How-to
Some of the high level changes:
- Add APIs for handling private keys, and PKCS12 files (what you get
when you export your certs from a browser or what is usually
distributed to users)
- Add support to the gnutls ssl plugin for:
- sending a certificate when it is request from the server
- import/export private keys
- import/export PKCS12 files
- Add support to the Pidgin certificate manager for dealing with
personal certificates
- Add options to the XMPP protocol plugin for choosing a certificate
for authentication. This required making the protocol account options
dynamic instead of only being created as startup.
- Enable SASL external in the Cyrus SASL code
- Add support to the certificate API for saving/loading certificate
chains rather than just individual certificates.
- Change ssl connection to specify the certificate to use for authentication
My API additions are found in privatekey.h, certificate.h, pkcs12.h,
prpl.h (PurplePluginProtocolInfo), There are a number of other changes
too.
On Mon, Nov 28, 2011 at 1:41 AM, Mark Doliner <mark at kingant.net> wrote:
> Hey Lucas. I don't know if I'll have time to look at this branch, and
> I'm probably not the best person to look at it, but I wonder if you
> could provide a little more information. Not just for my benefit, but
> for anyone who might be interested in testing or reviewing this code.
>
> Is this the branch in question?
> im.pidgin.cpw.ljfisher.ssl_client_auth
> http://developer.pidgin.im/viewmtn/branch/shortchanges/im.pidgin.cpw.ljfisher.ssl_client_auth
>
> I haven't been following your emails very closely (sorry), I wonder if
> you could provide a description in your own words of what client side
> auth is and when it would be used. It sounds like maybe it allows
> users to authentication to XMPP servers using public/private keys,
> similar to ssh? Is this a standard auth mechanism for XMPP? Or for
> SASL? Do many XMPP servers support it?
>
> Thanks, and sorry we haven't been able to give you the attention you deserve :-(
> Mark
>
More information about the Devel
mailing list