[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: [openssl-users] Replacing RFC2712 (was Re: Kerberos)
From: Nico Williams <nico () cryptonector ! com>
Date: 2015-05-11 16:25:33
Message-ID: 20150511162532.GH7287 () localhost
[Download RAW message or body]
On Fri, May 08, 2015 at 10:57:52PM -0500, Nico Williams wrote:
> I should have mentioned NPN and ALPN too.
> [...]
A few more details:
- If you don't want to depend on server certs, use anon-(EC)DH
ciphersuites.
Clients and servers must reject TLS connections using such a
ciphersuite but not using a GSS-authenticated application protocol.
- The protocol MUST use GSS channel binding to TLS.
- Use SASL/GS2 instead of plain GSS and you get to use an authzid
(optional) and you get a builtin authorization status result message
at no extra cost, and all while still using GSS.
You get to optimize only the mechanism negotiation, and you get TLS w/
Kerberos (and others) and without PKIX (if you don't want it).
See RFCs 7301, 5801, 5056, and 5929 (but note that the TLS session hash
extension is required).
Nico
--
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic