Hi!
Thanks for your comments!
I just wanted you to know that I'm still working on my answer (reading
RFC, list archives ...). Thus, no answer yet ;-)
Cesc wrote:
Hi all,
Interesting discussion :)
...
As it is now, the current tls code does not really allow for
flexibility, i would say. How about creating some kind of module that
would allow in-depth access to tls functions, such as
- tls_verify_peer_cert()
- tls_check_from()
- tls_check_to()
I agree. We will need this functions. We should also document what the
current implementation is validating (when authenticating a server
certificate: which domain is checked against which part of the
certificate?) ...
regards
klaus
.....
This way a barebones connection may be accepted on the tls level (say,
just server authentication). Then, in the config file you may be able to
stiffen the authentication requirements with a bunch of functionalities
provided by a tls_tools module.
Regards,
Cesc
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
