Bill Moseley wrote: > This isn't mod_perl related, but I'm hoping someone here has > experience in this area and can provide some feedback. > Recommendation of a better list for this question is also welcome. > > I have a mod_perl/SOAP::Lite server application where I need to > authenticate the connecting clients. The clients are all SOAP::Lite > applications and connect to the server over the Internet. > > The server allows SSL connections only, and the server has a list of IP > addresses of the clients that are allowed to connect. > > I'm also looking at using client certificates, which is something I > have not setup before. > > First, I'm not clear in this closed application if I need a real CA or > if I can self-sign and be my own CA. (I read someplace that > this should be avoided for performance reasons, although that might > have been referring to use in web browsers.)
If it's an internal application, I'd go 100% self-signed with your own CA. It's not hard, and it will save you tons of $$$. > I'm also not clear if there's an advantage to using a client > certificate. Another other option would be a shared secret and > generate a message digest that can be verified on the server side. > > If the concern is that someone might spoof an IP address then the > shared secret seems adequate. If the secret is ever compromised, you have to update every single client/server out there. If a client cert is compromised, you revoke it and carry on doing business as usual. > If the concern is that someone might hack a client machine and make > fake requests to the server then it seems the hacker would have access to > the client cert just as easily as the shared secret. Yup, but you can revoke a client-cert, not a shared secret... > But, as I said, I have not used client certs before so I might be > missing a key point. Oh, and a bonus point. Client applications can generate their own certs, and only get your CA to sign them. It's a much neater approach IMO. And totally worth the slight extra complexity of running your own CA. Check out TinyCA as a good simple tool for this kind of CA (http://tinyca.sm-zone.net/) ------------------------------------------------------------------------ Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5 http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/
signature.asc
Description: OpenPGP digital signature
