On Fri, 2022-09-02 at 00:22 +0000, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief can > break your window and get into your car, so you might as well leave > them rolled down all the time. > > The question wasn't "Should I care that..." or "Is it a good idea > to...". It was "Can OpenSSL 3 do this". > > You really should be asking "Should I care that..." though. Security by policy is even weaker than security by obscurity. Don't let detection of this little "gotcha" lull you into a false sense of security, or even heightened security.