[Zope] - Secure Server

Hannu Krosing hannu@trust.ee
Mon, 25 Jan 1999 17:40:06 +0200


Robert OConnor wrote:
> 
> How does ZOPE integrate with a
> "SSL" secure server such as
> 
> Red Hat Secure Web Server 2.0
> http://www.redhat.com/product.phtml/WB2000
> 
> I have some understanding of the security offered
> on the server but what about security between
> the browser and the server?
> 
> Can (and How) can SSL be integrated
> into the ZOPE login.

If you use client sertificates, then you can get the SSL authenticated 
user from CGI variables

If you use just uername/passwd then there should be no difference
between
HTTP and HTTPS in CGIs

> I understand that SSL servers are slowed down
> but only ID/Passwords need be SSL and after
> that, during the session, SSL security doesn't
> have to be used.

HTTPS uses SSL for whole session. If you want just your login to be 
encrypted you should use challenge/response authentication. 

I'm not sure which browsers (except MS ones) use this.
It should not be too hard to add this to ZopeServer if browser 
support exists.

-----------------
 Hannu