perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philippe M. Chiasson" <go...@ectoplasm.org>
Subject Re: [OT] Client authentication
Date Sun, 23 Sep 2007 08:44:44 GMT


Bill Moseley wrote:
> This isn't mod_perl related, but I'm hoping someone here has
> experience in this area and can provide some feedback.
> Recommendation of a better list for this question is also welcome.
> 
> I have a mod_perl/SOAP::Lite server application where I need to
> authenticate the connecting clients.  The clients are all SOAP::Lite
> applications and connect to the server over the Internet.
> 
> The server allows SSL connections only, and the server has a list of IP
> addresses of the clients that are allowed to connect.
> 
> I'm also looking at using client certificates, which is something I
> have not setup before.
> 
> First, I'm not clear in this closed application if I need a real CA or
> if I can self-sign and be my own CA.  (I read someplace that
> this should be avoided for performance reasons, although that might
> have been referring to use in web browsers.)

If it's an internal application, I'd go 100% self-signed with your
own CA. It's not hard, and it will save you tons of $$$.

> I'm also not clear if there's an advantage to using a client
> certificate.  Another other option would be a shared secret and
> generate a message digest that can be verified on the server side.
> 
> If the concern is that someone might spoof an IP address then the
> shared secret seems adequate.

If the secret is ever compromised, you have to update every single
client/server out there. If a client cert is compromised, you revoke it
and carry on doing business as usual.

> If the concern is that someone might hack a client machine and make
> fake requests to the server then it seems the hacker would have access to
> the client cert just as easily as the shared secret.

Yup, but you can revoke a client-cert, not a shared secret...

> But, as I said, I have not used client certs before so I might be
> missing a key point.

Oh, and a bonus point. Client applications can generate their own certs,
and only get your CA to sign them.  It's a much neater approach IMO. And
totally worth the slight extra complexity of running your own CA.

Check out TinyCA as a good simple tool for this kind of CA (http://tinyca.sm-zone.net/)

------------------------------------------------------------------------
Philippe M. Chiasson     GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/       m/gozer\@(apache|cpan|ectoplasm)\.org/


Mime
View raw message