On Wed, Oct 25, 2023 at 02:34:08AM +0000, Peter Gutmann wrote:
> Andrei Popov <andrei.po...@microsoft.com> writes:
>
> >An "I really mean it" flag. We can add these for every TLS message, not just
> >authentication-related ones. Just to make sure the peer truly is serious
> >about the TLS handshake.
>
> It really depends on how servers react when they see client-cert-auth when
> they're not expecting it. Some time ago I tested one of the always-requests-
> client-auth servers to see what happened when it actually did get client-cert-
> auth and the result was a Handshake Failure alert. For J.Random messages it
> won't matter, but if the server is requesting client auth without knowing it's
> doing it then some "I really mean it" indication back to the client might be
> useful.
I think what you're really saying, is that it may be time replace the
extant client certificate request message with a completely new one,
because the old one is ossified.
That could mean "I really mean it", until some server code turns it on
by default again... We can't win that battle.
I work on Postfix, I always recomment that users don't enable client
cert requests for no good reason. And yet, we provide the feature to
make it possible, and some users then truly believe that it is necessary
to ask for certs they can't/won't use.
Postfix fortunately does not misbehave when useless certs arrive, but
the basic seed of doom is in the user behaviour.
https://marc.info/?l=postfix-users&m=169565176912422&w=2
> If you also have TLS client certs configured (typically without just
> cause) to be sent to servers that happen to request them (also typically
> without just cause), then a failure to load the client certs breaks TLS
> support in tlsproxy(8), which makes all attempts at "STARTTLS" fail.
Yes, list.sys4.de also uses TLS client certs and I'm not really sure
I like you writing "typically without just cause". I'd rather have
it the other way around and be irritated if clients do not identify
themselves in TLS sessions as well.
For some quixotic reason, this is particularly common in Germany.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
