enforcing TLS certificates for replication

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Tue Jan 27 06:29:00 EST 2009

Last week, Wesley Craig wrote:

IB> I have one machine in a data centre which runs 2.3.13
IB> [and a] machine at home, similarly running 2.3.13,
IB> with a static IP number and an appropriate hole in the
IB> firewall to run replication.  Which is all good, but
IB> I'm not at all sure how good my ISP is at preventing
IB> Bad People from mis-using IP numbers, so I'd like to
IB> require the sync_server to offer a certificate to prove
IB> its good will to the sync_client.

WC> If the sync_server isn't allowed to accept clear text
WC> passwords and is configured to provide certificates,
WC> you should be all set.
WC> [..] It should "Just Work".

If you want to try also using certificates to authenticate the client to
the server, you might like to look at my patch - thus far only tested
for traditional murder FE->BE and FE/BE->MUPDATE authentication:




Duncan Gibb, Technical Director
Sirius Corporation plc - The Open Source Experts
Tel: +44 870 608 0063

More information about the Info-cyrus mailing list