[openssl-users] Has client validated successfully?
d3ck0r at gmail.com
Tue Feb 20 17:34:18 UTC 2018
On Tue, Feb 13, 2018 at 9:33 AM, Emmanuel Deloget <logout at free.fr> wrote:
> On Tue, Feb 13, 2018 at 7:14 AM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> > The only thing that the server can know is whether the client has
> > terminated the connection with a fatal alert. If the client validates
> > presented cert chains, then its continuation with the connection means
> > that it passed validation. If the client does not, or ignores any
> > given error, then it doesn't mean that it passed validation.
> > In other words, you can only know if the client's applied policy
> > allows the connection to continue. You cannot know if the policy that
> > was applied was specifically related to the certificate chain
> > presented.
> > -Kyle H
> > On Mon, Feb 12, 2018 at 10:06 PM, J Decker <d3ck0r at gmail.com> wrote:
> > > Is there a way for a server to know if the client verified the cert
> > > successfully or not?
> From a security PoV, that doesn't help much. One can build a malicious
> version of openvpn that will tell you "everything's ok" (or "it failed!",
> depending of its goal). The server should not make any decision w.r.t. the
> client state (that's more or less what is implied by Kyle's answer ; I just
> wanted to stress it).
Yes that is true.... however here's the scenario.
Client does a verification and passes or fails, and via the SSL layer I can
query if the client validated the certificate.
If it failed, provide a option for the client to get a renewed certificate
for verification. If success, no action.
If an actor lies in this scenario he answers
lies *yes* and didn't, don't give him a means to actually verify. *noop*
lies *no* but did, then give him the root cert he already has.... *noop*
so I don't have to trust the reply.... I'm willing to give him the right
> -- Emmanuel Deloget
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users