On 2022-08-03 21:37, Rejo Oommen wrote:
> Thank you for the reply Thomas. I agree with you on the mutual TLS
> that you mentioned.
>
> Here is what I was looking at.
>
> The configurations at the server end will be with auth-method as md5
> and auth-option as clientcert=verify-ca.
>
There's your issue. If you tell the server to validate the client cert,
then it will require the client to provide a valid cert to identify itself.
> In this way, the user's password along with the valid ca should allow
> connections to pass.
>
The ca on your setup is only useful for the client to ensure the server
is the correct one and prevent MITM attacks. This is a client-side
check, not server-side.
The only authentication security here is the password/md5, but protected
from eavesdropping (passive and MITM) and connection hijacking by
encryption, with some of these protections only effective when the
client use the verify-ca option. The server cannot ensure the client is
actually validating the ca, not even that it's taking to the actual
client and not a MITM, simply because the client itself is not
authenticated by mutual TLS.
Regards
--
Thomas
