[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] Todays snapshot 20080406
- To: Buchan Milne <bgmilne (at) staff.telkomsa.net>
- Subject: Re: [hobbit] Todays snapshot 20080406
- From: Henrik Stoerner <henrik (at) hswn.dk>
- Date: Mon, 7 Apr 2008 10:37:33 +0200
- Cc: hobbit (at) hswn.dk
- References: <001701c897ca$14579050$0500a8c0 (at) noip.org> <20080407053157.GA27645 (at) hswn.dk> <200804070954.22321.bgmilne (at) staff.telkomsa.net>
- User-agent: Mutt/1.5.15+20070412 (2007-04-11)
On Mon, Apr 07, 2008 at 09:54:22AM +0200, Buchan Milne wrote:
> On Monday 07 April 2008 07:31:57 Henrik Stoerner wrote:
> > > 49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
> >
> > Yep, working on adding support for SSL-encrypted connections to
> > the Hobbit server. Server-side is done, client-side needs some
> > re-writing of a module.
> >
> Note that this says nothing about certificate validation. Will requiring
> certificate validation be possible with Hobbit (both client and server-side)?
Not implemented yet - I want the basic stuff working first. But yes,
you will be able to require clients to provide a valid client
certificate, and clients to require a valid certificate from the
Hobbit server.
> > There's a decent tutorial on creating your own SSL certificates
> > at http://www.akadia.com/services/ssh_test_certificate.html
>
> I'll note that on larger deployments, it may be better to generate an internal
> CA certificate. We use OpenCA (although OpenXPKI is worth a look) for
> certificates for OpenVPN, Cisco VPN routers and clients, our LDAP servers,
> our audited shell server and clients etc. It supports enrolment via SCEP
> (Cisco routers, Cisco VPN client, autosscep or sscep for generic Unix
> machines).
You can use whatever suits you best for generating the certificates.
OpenCA is nice - I've only used it with OpenVPN, but it seems OK.
Doing it with a couple of shell scripts is also possible once you
get the hang of it.
Regards,
Henrik