On 06/10/17 11:52, Илья Шипицин wrote: [...snip...] > > > > In addition, what happens when you try to use a revoked *client* > > certificate when connecting to an HTTPS server demanding client > > certificates to be present? > > > > > > 403 > > > > (with customizable error message) > Really? That shouldn't be possible, as you don't have an established > TLS connection to provide the HTTP 403 response. Because the server > should reject the connection as the *client* certificate is invalid. > > > > I did test on IIS with "certificate required", when you connect without > cert, you can see 403. > ok, I'll test with revoked cert as well
Okay, I've done some testing with my own Nginx server. HTTPS is actually different from the plain SSL/TLS protocol. In HTTPS, the client certificate transfer is handled differently, where it exists an unauthenticated TLS connection when invalid certificates are sent to the server. This allows the server to respond with HTTP 40* messages over HTTPS. When trying the same using openssl s_client and s_server, the server side instantly dumps a "certificate verify failed" message and it disconnects. This latter behaviour is the approach implemented in OpenVPN. And I doubt this can easily be changed, to have an unauthenticated response channel, without breaking backwards compatibility with older clients. We need to facilitate a few other approaches which ensures the clients won't get confused. Since both these HTTPS and the s_client/s_server tests happens over TCP (as SSL/TLS is strictly designed for TCP only; which is why OpenVPN encapsulates the SSL/TLS packets to allow it to use UDP), the client will also disconnect when the TCP socket gets closed. This is not possible with UDP sockets, and is why why have --explicit-exit-notify for UDP connections, to simulate the TCP FIN behaviour. I hope this makes sense. -- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
