enforcing TLS certificates for replication
Duncan Gibb
Duncan.Gibb at SiriusIT.co.uk
Tue Jan 27 06:29:00 EST 2009
Last week, Wesley Craig wrote:
IB> I have one machine in a data centre which runs 2.3.13
IB> [and a] machine at home, similarly running 2.3.13,
IB> with a static IP number and an appropriate hole in the
IB> firewall to run replication. Which is all good, but
IB> I'm not at all sure how good my ISP is at preventing
IB> Bad People from mis-using IP numbers, so I'd like to
IB> require the sync_server to offer a certificate to prove
IB> its good will to the sync_client.
WC> If the sync_server isn't allowed to accept clear text
WC> passwords and is configured to provide certificates,
WC> you should be all set.
WC> [..] It should "Just Work".
If you want to try also using certificates to authenticate the client to
the server, you might like to look at my patch - thus far only tested
for traditional murder FE->BE and FE/BE->MUPDATE authentication:
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3133
Cheers
Duncan
--
Duncan Gibb, Technical Director
Sirius Corporation plc - The Open Source Experts
http://www.siriusit.co.uk/
Tel: +44 870 608 0063
More information about the Info-cyrus
mailing list