On 2022-08-03 21:37, Rejo Oommen wrote:
Thank you for the reply Thomas. I agree with you on the mutual TLS
that you mentioned.
Here is what I was looking at.
The configurations at the server end will be with auth-method as md5
and auth-option as clientcert=verify-ca.
There's your issue. If you tell the server to validate the client cert,
then it will require the client to provide a valid cert to identify itself.
In this way, the user's password along with the valid ca should allow
connections to pass.
The ca on your setup is only useful for the client to ensure the server
is the correct one and prevent MITM attacks. This is a client-side
check, not server-side.
The only authentication security here is the password/md5, but protected
from eavesdropping (passive and MITM) and connection hijacking by
encryption, with some of these protections only effective when the
client use the verify-ca option. The server cannot ensure the client is
actually validating the ca, not even that it's taking to the actual
client and not a MITM, simply because the client itself is not
authenticated by mutual TLS.
Regards
--
Thomas
