On Fri, 2022-09-02 at 00:22 +0000, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief can > break your window and get into your car, so you might as well leave > them rolled down all the time. > > The question wasn't "Should I care that..." or "Is it a good idea > to...". It was "Can OpenSSL 3 do this". > > You really should be asking "Should I care that..." though. Security by policy is even weaker than security by obscurity. Don't let detection of this little "gotcha" lull you into a false sense of security, or even heightened security.
Re: [EXTERNAL] RE: enforcing mutual auth from the client
Sands, Daniel via openssl-users Fri, 02 Sep 2022 10:13:44 -0700
- enforcing mutual auth from the client Wall, Stephen
- Re: enforcing mutual auth from the cl... Viktor Dukhovni
- RE: enforcing mutual auth from th... Wall, Stephen
- RE: [EXTERNAL] RE: enforcing ... Sands, Daniel via openssl-users
- RE: enforcing mutual auth from the cl... Wall, Stephen
- Re: enforcing mutual auth from th... Viktor Dukhovni
- RE: enforcing mutual auth fro... Wall, Stephen
- Re: [EXTERNAL] RE: enforcing mutu... Sands, Daniel via openssl-users