Validating Client Certificates

[Martin Bonner]

Martin Bonner

> Date: Thu, 14 Mar 2024 13:30:13 +0000
> From: Michael Wojcik <mailto:mwojcik at opentext.com>
> To: "mailto:openssl-users at openssl.org" <mailto:openssl-users at openssl.org>
> Subject:
> Message-ID:
>       <mailto:YQBPR01MB10705400A49AA456CBAE60684C2292 at YQBPR01MB10705.CANPRD01.PROD.OUTLOOK.COM>

> > I am developing an application that clients will access. ?I don't want to use passwords as the users
> > have shown a propensity to use easily guessed passwords etc. ?I am trying to use client certificates.

> Client certificates and TLS mutual authentication (sometimes called "mTLS") do not in themselves
> fix the weak-passwords problem. The end user needs access to the private key associated with the
> client certificate. How that happens depends on the client software, but private keys are often
> protected with passwords, those passwords are often selected by the end user, and often nothing
> ensures *they* aren't weak.

> Using client certificates might be a step in improving the strength of the authentication
> mechanism, but they don't do so inherently.

But depending on the application, it may be a very a very significant improvement.  If the server is
remote from the client and uses passwords, an attacker can try to login by guessing usernames and
passwords.  If the server uses client certificates and the client private key is stored local to the
client, the attacker has to get hold of that private key file - which is not impossible, but is a
useful enhancement.
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.