[LINK] [OT] Help re RFC 2246. The TLS Protocol
Roger Clarke
Roger.Clarke at xamax.com.au
Thu Feb 19 23:11:26 AEDT 2009
At 22:54 +1100 19/2/09, Bernard Robertson-Dunn wrote:
>I need a client initiated SSL session to force mutual authentication ...
I'm no help whatsoever, sorry.
But:
(a) I reckon lots of linkers will understand the question and why it matters
(b) some of us will be embarrassed that we're not quite sure where to
start the research
(c) many of us will be relieved that even you need to ask the question
And it's certainly not OT, because it has policy implications:
(1) I've taught people for years that all of no, one-sided and
mutual authentication are available. If servers have the option of
not offering mutual authentication, then:
(i) I've been teaching wrongly (okay, that's hardly unique ...)
(ii) my longstanding scepticism about PKI (well, 15 years is a long
time in this game) would be even *more* justified than I thought it
was
(2) If/when someone appropriates TLS from client-server across to
P2P architecture, they'd better keep this in mind!
_________________________
At 22:54 +1100 19/2/09, Bernard Robertson-Dunn wrote:
>This is totally off topic and I apologise, but I need some help fast.
>
>Re RFC 2246 The TLS Protocol
>
>Problem:
>I need a client initiated SSL session to force mutual authentication.
>
>My understanding:
>It seems that when the server initiates the SSL handshake it has three
>options:
> Perform the handshake as a server.
> Perform the handshake as a server with client authentication.
> Perform the handshake as a server with optional client authentication.
>
>However, the client can only request a handshake but not specify that it
>must have client authentication.
>
>Thus mutual authentication is normally enabled by configuring the server
>appropriately.
>
>I have been told that by specifying CipherSuite to be
>TLS_DHE_DSS_WITH_DES_CBC_SHA it will force the server to request a
>client certificate and hence mutual authentication
>
>Questions:
>Am I correct in thinking that when initiated by the client, an SSL
>handshake cannot force mutual authentication?
>
>Does setting CipherSuite = TLS_DHE_DSS_WITH_DES_CBC_SHA force mutual
>authentication?
>
>If so, how?
>
>Any help, off Link, would be appreciated.
>
>--
>
>Regards
>brd
>
>Bernard Robertson-Dunn
>Canberra Australia
>brd at iimetro.com.au
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list