On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote:
> > A compromised server could easily still request the client
> > certificate, no?
> > But as noted, even a compromised server can ask for client
> > credentials and then
>
> Yes, that's true. If the intruder knew to do so. Also, a thief c
> From: openssl-users On Behalf Of Viktor
> Dukhovni
>
> Of course this test should only be applied for a full handshake, reused
> sessions
> piggyback on the certificates exchanged in the original full handshake.
Thank you, that helps. I have not enabled session cache, so that's not a
conce
On Fri, Sep 02, 2022 at 12:22:35AM +, Wall, Stephen wrote:
> > A compromised server could easily still request the client certificate, no?
>
> > But as noted, even a compromised server can ask for client credentials and
> > then
>
> Yes, that's true. If the intruder knew to do so. Also, a
> A compromised server could easily still request the client certificate, no?
> But as noted, even a compromised server can ask for client credentials and
> then
Yes, that's true. If the intruder knew to do so. Also, a thief can break your
window and get into your car, so you might as well le
> > It is not clear what threat model warrants taking special action when
> > the client certificate is not requested. It could equally be
> > requested and then largely ignored.
>
> A client in a highly secured network knows that every server it connects to
> will
> require a client certificate
> It is not clear what threat model warrants taking special action when the
> client
> certificate is not requested. It could equally be requested and then largely
> ignored.
A client in a highly secured network knows that every server it connects to
will require a client certificate. If the r
On Thu, Sep 01, 2022 at 09:36:36PM +, Wall, Stephen wrote:
> Does OpenSSL 3.0 provide a way for client side software to verify that
> the server actually sent a request for the client’s certificate?
It is not clear what threat model warrants taking special action when
the client certificate i
