mTLS did not work for me.
I didn't invent my own crypto, but I used mutual HMAC authentication
with preshared secret and
pluggable hash functions. It is an evolutionary step for a server side
PHP script that relied on IP
address alone to verify its client.
If anyone thinks it is worth a look, it is here:
https://github.com/mtodorov3-69/pam_url/tree/experimental
It would probably be prudent to have a peer review of the code before it
is given for people trying
to authenticate the VPNs with PAM.
Kind regards,
Mirsad
On 7.2.2022. 19:51, Paul Wouters wrote:
If you feel the pam TLS calls needs more than server side cert verification,
you should look into client authentication, eg mTLS. Don’t invent your own
crypto.
Paul
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
