2017-10-06 16:23 GMT+05:00 David Sommerseth <
open...@sf.lists.topphemmelig.net>:
> On 06/10/17 11:52, Илья Шипицин wrote:
> [...snip...]
> > >
> > > In addition, what happens when you try to use a revoked
> *client*
> > > certificate when connecting to an HTTPS server demanding client
> > > certificates to be present?
> > >
> > >
> > > 403
> > >
> > > (with customizable error message)
> > Really? That shouldn't be possible, as you don't have an established
> > TLS connection to provide the HTTP 403 response. Because the server
> > should reject the connection as the *client* certificate is invalid.
> >
> >
> >
> > I did test on IIS with "certificate required", when you connect without
> > cert, you can see 403.
> > ok, I'll test with revoked cert as well
>
> Okay, I've done some testing with my own Nginx server. HTTPS is
> actually different from the plain SSL/TLS protocol.
>
> In HTTPS, the client certificate transfer is handled differently, where
> it exists an unauthenticated TLS connection when invalid certificates
> are sent to the server. This allows the server to respond with HTTP 40*
> messages over HTTPS.
>
> When trying the same using openssl s_client and s_server, the server
> side instantly dumps a "certificate verify failed" message and it
> disconnects.
>
> This latter behaviour is the approach implemented in OpenVPN. And I
> doubt this can easily be changed, to have an unauthenticated response
> channel, without breaking backwards compatibility with older clients.
> We need to facilitate a few other approaches which ensures the clients
> won't get confused.
>
> Since both these HTTPS and the s_client/s_server tests happens over TCP
> (as SSL/TLS is strictly designed for TCP only; which is why OpenVPN
> encapsulates the SSL/TLS packets to allow it to use UDP), the client
> will also disconnect when the TCP socket gets closed. This is not
> possible with UDP sockets, and is why why have --explicit-exit-notify
> for UDP connections, to simulate the TCP FIN behaviour.
>
> I hope this makes sense.
>
yes, it does
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN, Inc
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
