On Tue, May 20, 2008 at 10:18 PM, Julien R Pierre - Sun Microsystems < [EMAIL PROTECTED]> wrote:
> Rainer, > > Rainer Gerhards wrote: > > Hi group, > > > > my apologies for not reading through all the docs. I have a hopefully > > quick question and would like some short feedback before I go down > > into all the specifics. I am working on the implementation of an > > upcoming TLS protected syslog standard. I currently implement with > > GnuTLS, but I have a driver layer which supports any stream-oriented > > transport and NSS is on my TODO list as the next task when I finished > > GnutTLS (I opted to start with GnuTLS because it has a smoother > > learning curve for a project interested in TLS only, as discussed in > > this group some time ago). This work is part of rsyslog, a GPLed > > syslogd ( http://www.rsyslog.com ). > > > > My question is about authentication. I would like to authenticate > > remote peers via custom authentication layed out in the standard. This > > is fingerprint-based, very similar to SSHs leap of faith auth. I would > > like to do this inside the TLS handshake, to be precisely after I > > received the remote peer's Certificate but before the Finished message > > is sent back. I am looking for something like a callback that calls me > > at this point and permits me to do a binary permitted/not permitted > > decision on the remote peer. This callback code must be able to > > examine the remote certificate. > > > > Please note that I am specifically asking for a callback inside the > > handshake. For technical reasons inside syslog, I would ideally need > > to authenticate the peer during the handshake procedure, NOT after it > > has completed. > > > > Is there any such functionality in NSS? If so, would it possible to > > point me to the relevant part of the documentation? > > > > All feedback is deeply appreciated. > > Right now there is no such callback available in NSS' lbissl to do what > you want. > > Why do you want to use non-standard authentication ? SSL/TLS client > authentication is already available and standard. > _______________________________________________ > Fingerprint-based is not secure within TLS, not specified anywhere, and it is an hack. Why don't you use PSK instead? Best regards Badra
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
