On Mon, Apr 07, 2008 at 09:54:22AM +0200, Buchan Milne wrote:
On Monday 07 April 2008 07:31:57 Henrik Stoerner wrote:
49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
Yep, working on adding support for SSL-encrypted connections to the Hobbit server. Server-side is done, client-side needs some re-writing of a module.
Note that this says nothing about certificate validation. Will requiring certificate validation be possible with Hobbit (both client and server-side)?
Not implemented yet - I want the basic stuff working first. But yes, you will be able to require clients to provide a valid client certificate, and clients to require a valid certificate from the Hobbit server.
There's a decent tutorial on creating your own SSL certificates at http://www.akadia.com/services/ssh_test_certificate.html
I'll note that on larger deployments, it may be better to generate an internal CA certificate. We use OpenCA (although OpenXPKI is worth a look) for certificates for OpenVPN, Cisco VPN routers and clients, our LDAP servers, our audited shell server and clients etc. It supports enrolment via SCEP (Cisco routers, Cisco VPN client, autosscep or sscep for generic Unix machines).
You can use whatever suits you best for generating the certificates. OpenCA is nice - I've only used it with OpenVPN, but it seems OK. Doing it with a couple of shell scripts is also possible once you get the hang of it.
Regards, Henrik