enforcing TLS certificates for replication

Wesley Craig wes at umich.edu
Thu Jan 22 12:57:30 EST 2009


On 22 Jan 2009, at 12:31, Ian Batten wrote:
> With my private network hat on, I have a requirement to secure
> replication.  I have one machine in a data centre which runs 2.3.13 on
> Solaris 10.  I've recently brought up an Open Solaris machine at home,
> similarly running 2.3.13, with a static IP number and an appropriate
> hole in the firewall to run replication.  Which is all good, but I'm
> not at all sure how good my ISP is at preventing Bad People from mis-
> using IP numbers, so I'd like to require the sync_server to offer a
> certificate to prove its good will to the sync_client.  I assume I can
> do it, but what are the options?

If the sync_server isn't allowed to accept clear text passwords and  
is configured to provide certificates, you should be all set.   
sync_server supports STARTTLS with the same routines as everything  
else, sync_client is using the same backend_connect() routine that  
everything else uses.  It should "Just Work".

:wes


More information about the Info-cyrus mailing list