On Tue, Feb 13, 2018 at 9:33 AM, Emmanuel Deloget <logout@xxxxxxx> wrote:
Hello,
On Tue, Feb 13, 2018 at 7:14 AM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:
> The only thing that the server can know is whether the client has
> terminated the connection with a fatal alert. If the client validates
> presented cert chains, then its continuation with the connection means
> that it passed validation. If the client does not, or ignores any
> given error, then it doesn't mean that it passed validation.
>
> In other words, you can only know if the client's applied policy
> allows the connection to continue. You cannot know if the policy that
> was applied was specifically related to the certificate chain
> presented.
>
> -Kyle H
>
> On Mon, Feb 12, 2018 at 10:06 PM, J Decker <d3ck0r@xxxxxxxxx> wrote:
> > Is there a way for a server to know if the client verified the cert chain
> > successfully or not?
>
From a security PoV, that doesn't help much. One can build a malicious
version of openvpn that will tell you "everything's ok" (or "it failed!",
depending of its goal). The server should not make any decision w.r.t. the
client state (that's more or less what is implied by Kyle's answer ; I just
wanted to stress it).
Yes that is true.... however here's the scenario.
Client does a verification and passes or fails, and via the SSL layer I can query if the client validated the certificate.
If it failed, provide a option for the client to get a renewed certificate for verification. If success, no action.
If an actor lies in this scenario he answers
lies *yes* and didn't, don't give him a means to actually verify. *noop*
lies *no* but did, then give him the root cert he already has.... *noop*
so I don't have to trust the reply.... I'm willing to give him the right root.
BR,
-- Emmanuel Deloget
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
