This isn't mod_perl related, but I'm hoping someone here has experience in this area and can provide some feedback. Recommendation of a better list for this question is also welcome.
I have a mod_perl/SOAP::Lite server application where I need to authenticate the connecting clients. The clients are all SOAP::Lite applications and connect to the server over the Internet. The server allows SSL connections only, and the server has a list of IP addresses of the clients that are allowed to connect. I'm also looking at using client certificates, which is something I have not setup before. First, I'm not clear in this closed application if I need a real CA or if I can self-sign and be my own CA. (I read someplace that this should be avoided for performance reasons, although that might have been referring to use in web browsers.) I'm also not clear if there's an advantage to using a client certificate. Another other option would be a shared secret and generate a message digest that can be verified on the server side. If the concern is that someone might spoof an IP address then the shared secret seems adequate. If the concern is that someone might hack a client machine and make fake requests to the server then it seems the hacker would have access to the client cert just as easily as the shared secret. But, as I said, I have not used client certs before so I might be missing a key point. What would you recommend, and why? Thanks, -- Bill Moseley [EMAIL PROTECTED]
