enforcing mutual auth from the client

Wall, Stephen stephen.wall at redcom.com
Thu Sep 1 21:57:28 UTC 2022

> It is not clear what threat model warrants taking special action when the client
> certificate is not requested.  It could equally be requested and then largely
> ignored.

A client in a highly secured network knows that every server it connects to will require a client certificate.  If the request fails to arrive, it's either a misconfiguration or a compromised server.  In either case, the client prefers to fail and make the user aware of a problem rather than risk compromising sensitive data with the user unaware that there was unexpected behavior.

More information about the openssl-users mailing list