perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Moseley <mose...@hank.org>
Subject [OT] Client authentication
Date Sat, 22 Sep 2007 16:04:41 GMT
This isn't mod_perl related, but I'm hoping someone here has
experience in this area and can provide some feedback.
Recommendation of a better list for this question is also welcome.

I have a mod_perl/SOAP::Lite server application where I need to
authenticate the connecting clients.  The clients are all SOAP::Lite
applications and connect to the server over the Internet.

The server allows SSL connections only, and the server has a list of IP
addresses of the clients that are allowed to connect.

I'm also looking at using client certificates, which is something I
have not setup before.

First, I'm not clear in this closed application if I need a real CA or
if I can self-sign and be my own CA.  (I read someplace that
this should be avoided for performance reasons, although that might
have been referring to use in web browsers.)

I'm also not clear if there's an advantage to using a client
certificate.  Another other option would be a shared secret and
generate a message digest that can be verified on the server side.

If the concern is that someone might spoof an IP address then the
shared secret seems adequate.

If the concern is that someone might hack a client machine and make
fake requests to the server then it seems the hacker would have access to
the client cert just as easily as the shared secret.

But, as I said, I have not used client certs before so I might be
missing a key point.

What would you recommend, and why?

Thanks,


-- 
Bill Moseley
moseley@hank.org


Mime
View raw message