[EXTERNAL] RE: enforcing mutual auth from the client
Sands, Daniel
dnsands at sandia.gov
Fri Sep 2 17:13:06 UTC 2022
On Fri, 2022-09-02 at 00:22 +0000, Wall, Stephen wrote:
> > A compromised server could easily still request the client
> > certificate, no?
> > But as noted, even a compromised server can ask for client
> > credentials and then
>
> Yes, that's true. If the intruder knew to do so. Also, a thief can
> break your window and get into your car, so you might as well leave
> them rolled down all the time.
>
> The question wasn't "Should I care that..." or "Is it a good idea
> to...". It was "Can OpenSSL 3 do this".
>
>
You really should be asking "Should I care that..." though. Security
by policy is even weaker than security by obscurity. Don't let
detection of this little "gotcha" lull you into a false sense of
security, or even heightened security.
More information about the openssl-users
mailing list