enforcing TLS certificates for replication
wes at umich.edu
Thu Jan 22 12:57:30 EST 2009
On 22 Jan 2009, at 12:31, Ian Batten wrote:
> With my private network hat on, I have a requirement to secure
> replication. I have one machine in a data centre which runs 2.3.13 on
> Solaris 10. I've recently brought up an Open Solaris machine at home,
> similarly running 2.3.13, with a static IP number and an appropriate
> hole in the firewall to run replication. Which is all good, but I'm
> not at all sure how good my ISP is at preventing Bad People from mis-
> using IP numbers, so I'd like to require the sync_server to offer a
> certificate to prove its good will to the sync_client. I assume I can
> do it, but what are the options?
If the sync_server isn't allowed to accept clear text passwords and
is configured to provide certificates, you should be all set.
sync_server supports STARTTLS with the same routines as everything
else, sync_client is using the same backend_connect() routine that
everything else uses. It should "Just Work".
More information about the Info-cyrus