Skip to content

Conversation

@WGH-
Copy link
Contributor

@WGH- WGH- commented Aug 20, 2021

This is useful for simple setups that don't require full-blown CAs for mutual authentication.

An example of a program that support this type of client auth is Postfix (see permit_tls_clientcerts).

This introduces a footgun in a way: using client_fingerprints practially requires using RequireAnyClientCert, so it invites a mistake of setting RequireAnyClientCert and forgetting about client_fingerprints. Luckily, it's possible to discern empty list from a nil one (not set), but it still requires the user to carefully replace multiline YAML list with client_fingerprints: [] if he wants to delete all certificates for some reason. Maybe that's not really a problem, but I still want to mention it.

Alternatively, we might introduce a new custom client_auth_type (say, FingerprintWhitelist) that would behave like RequireAnyClientCert, but would treat a nil set like an empty one (i.e. reject any certificate). This diverges a bit from tls.ClientAuthType enumeration list, but it's less error-prone this way.

Currently based on top of #61, hence draft.

WGH- added 3 commits August 20, 2021 18:45
client_ca_file is used to validate client certificate. However,
in tests, client never present any.

Signed-off-by: WGH <[email protected]>
Add tests cases when the client actually sends a certificate, and check
how the server responds to it.

The client certificates were generated with this command:

    openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout client2_selfsigned.key -out client2_selfsigned.pem -nodes -subj '/CN=test2' -days 36500 -addext "extendedKeyUsage = clientAuth"

Signed-off-by: WGH <[email protected]>
This is useful for simple setups that don't require full-blown
CAs for mutual authentication.

Signed-off-by: WGH <[email protected]>
@roidelapluie
Copy link
Member

Wouldn't putting client cert as CA work instead? This looks uncommon.

@WGH-
Copy link
Contributor Author

WGH- commented Dec 26, 2021

Wouldn't putting client cert as CA work instead? This looks uncommon.

I think not, because it might lack the flag allowing it to be a CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants