[EXTERNAL] RE: enforcing mutual auth from the client

Sands, Daniel dnsands at sandia.gov
Fri Sep 2 17:13:06 UTC 2022


On Fri, 2022-09-02 at 00:22 +0000, Wall, Stephen wrote:
> > A compromised server could easily still request the client
> > certificate, no?
> > But as noted, even a compromised server can ask for client
> > credentials and then
> 
> Yes, that's true.  If the intruder knew to do so.  Also, a thief can
> break your window and get into your car, so you might as well leave
> them rolled down all the time.
> 
> The question wasn't "Should I care that..."  or "Is it a good idea
> to...".  It was "Can OpenSSL 3 do this".
> 
>  
You really should be asking "Should I care that..." though.  Security
by policy is even weaker than security by obscurity.  Don't let
detection of this little "gotcha" lull you into a false sense of
security, or even heightened security.


More information about the openssl-users mailing list