Hi,
I just playing with the new TLS stuff and I have a problem.
Let me tell you my configuration. I have three kinds of networks.
Every host in LNET may use my server as outgoing relay without
authentication and encryption via TLS. So I set
host_accept_relay = LNET
Every host in ANET may use my server as outgoing relay after
successfully authentication with user + password. I dont wont any
client to send the password via an unencryted connection, so I set
host_auth_accept_relay = ANET
auth_always_advertise = false
auth_over_tls_hosts = ANET
Every host in CNET may use my server as outgoing relay if the
client gives me a valid client certificate. So I set
tls_advertise_hosts = *
tls_hosts =
tls_verify_hosts = CNET
Unfortunately in my case is ANET == CNET, because on some of the
hosts are clients that can handle client certificates and on some
not.
What I need is a somewhat different behavior:
1. If a host is in tls_verify_hosts but gives _no_ client certificate
it should be treaten as if this host were not in tls_verify_hosts,
e.g.
if the client sucessfully authenticated everything is OK.
(some kind of fallback-to-the-old-way stuff).
2. If the client certificate is wrong the client should be rejected.
3. If the client doesn't authenticate or user+password combination
is wrong, ask the client for a client certificate. If the certificate
is OK trust the client and do relay (Netscape always ask for username
and password if the server advertised AUTH, but I don't want to setup
a user for everyone).
Even this is not possible yet, it could be implemented in future
versions.
cu,
Jan
--
_______________________________________________________________________
THE BEST RUN E-BUSINESSES RUN mySAP.com
_______________________________________________________________________
Jan Schreckenbach email: Jan.Schreckenbach@???
SAP AG Walldorf/Baden, Germany Phone: +49 6227 7-47474
LinuxLab Fax : +49 6227 78-31414
SAP LinuxLab support address: linux@???
