[LINK] [OT] Help re RFC 2246. The TLS Protocol

Roger Clarke Roger.Clarke at xamax.com.au
Thu Feb 19 23:11:26 AEDT 2009


At 22:54 +1100 19/2/09, Bernard Robertson-Dunn wrote:
>I need a client initiated SSL session to force mutual authentication ...

I'm no help whatsoever, sorry.

But:
(a) I reckon lots of linkers will understand the question and why it matters
(b) some of us will be embarrassed that we're not quite sure where to 
start the research
(c) many of us will be relieved that even you need to ask the question

And it's certainly not OT, because it has policy implications:

(1)  I've taught people for years that all of no, one-sided and 
mutual authentication are available.  If servers have the option of 
not offering mutual authentication, then:
(i)  I've been teaching wrongly (okay, that's hardly unique ...)
(ii) my longstanding scepticism about PKI (well, 15 years is a long 
time in this game) would be even *more* justified than I thought it 
was

(2)  If/when someone appropriates TLS from client-server across to 
P2P architecture, they'd better keep this in mind!

_________________________

At 22:54 +1100 19/2/09, Bernard Robertson-Dunn wrote:
>This is totally off topic and I apologise, but I need some help fast.
>
>Re RFC 2246 The TLS Protocol
>
>Problem:
>I need a client initiated SSL session to force mutual authentication.
>
>My understanding:
>It seems that when the server initiates the SSL handshake it has three
>options:
>     Perform the handshake as a server.
>     Perform the handshake as a server with client authentication.
>     Perform the handshake as a server with optional client authentication.
>
>However, the client can only request a handshake but not specify that it
>must have client authentication.
>
>Thus mutual authentication is normally enabled by configuring the server
>appropriately.
>
>I have been told that by specifying CipherSuite to be
>TLS_DHE_DSS_WITH_DES_CBC_SHA it will force the server to request a
>client certificate and hence mutual authentication
>
>Questions:
>Am I correct in thinking that when initiated by the client, an SSL
>handshake cannot force mutual authentication?
>
>Does setting CipherSuite = TLS_DHE_DSS_WITH_DES_CBC_SHA force mutual
>authentication?
>
>If so, how?
>
>Any help, off Link, would be appreciated.
>
>--
>
>Regards
>brd
>
>Bernard Robertson-Dunn
>Canberra Australia
>brd at iimetro.com.au
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list