Re: [EXTERNAL] RE: enforcing mutual auth from the client

2022-09-02 Thread Sands, Daniel via openssl-users
On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief c

RE: enforcing mutual auth from the client

2022-09-02 Thread Wall, Stephen
> From: openssl-users On Behalf Of Viktor > Dukhovni > > Of course this test should only be applied for a full handshake, reused > sessions > piggyback on the certificates exchanged in the original full handshake. Thank you, that helps. I have not enabled session cache, so that's not a conce

Re: enforcing mutual auth from the client

2022-09-01 Thread Viktor Dukhovni
On Fri, Sep 02, 2022 at 12:22:35AM +, Wall, Stephen wrote: > > A compromised server could easily still request the client certificate, no? > > > But as noted, even a compromised server can ask for client credentials and > > then > > Yes, that's true. If the intruder knew to do so. Also, a

RE: enforcing mutual auth from the client

2022-09-01 Thread Wall, Stephen
> A compromised server could easily still request the client certificate, no? > But as noted, even a compromised server can ask for client credentials and > then Yes, that's true. If the intruder knew to do so. Also, a thief can break your window and get into your car, so you might as well le

RE: [EXTERNAL] RE: enforcing mutual auth from the client

2022-09-01 Thread Sands, Daniel via openssl-users
> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to > will > require a client certificate

RE: enforcing mutual auth from the client

2022-09-01 Thread Wall, Stephen
> It is not clear what threat model warrants taking special action when the > client > certificate is not requested. It could equally be requested and then largely > ignored. A client in a highly secured network knows that every server it connects to will require a client certificate. If the r

Re: enforcing mutual auth from the client

2022-09-01 Thread Viktor Dukhovni
On Thu, Sep 01, 2022 at 09:36:36PM +, Wall, Stephen wrote: > Does OpenSSL 3.0 provide a way for client side software to verify that > the server actually sent a request for the client’s certificate? It is not clear what threat model warrants taking special action when the client certificate i