[EXTERNAL] RE: enforcing mutual auth from the client
dnsands at sandia.gov
Thu Sep 1 22:01:41 UTC 2022
> > It is not clear what threat model warrants taking special action when
> > the client certificate is not requested. It could equally be
> > requested and then largely ignored.
> A client in a highly secured network knows that every server it connects to will
> require a client certificate. If the request fails to arrive, it's either a
> misconfiguration or a compromised server. In either case, the client prefers to
> fail and make the user aware of a problem rather than risk compromising
> sensitive data with the user unaware that there was unexpected behavior.
But as noted, even a compromised server can ask for client credentials and then ignore them. So in your threat model, the client might think it is talking to a legit server just because it asks for a certificate like it's "supposed to". But will happily be exchanging sensitive data with this compromised server.
More information about the openssl-users