6:46 p.m.
Hi Linus,
I have to meet accreditation requirements and evaluators go by the book in-spite of the
fact that mutual authentication is much better then normal authentication. Syslog over TLS
provides an option in configuration file to use either of them. I was wondering if RFC6614
became a standard or not as currently it is an experimental RFC. Once again thanks alot
for your help.
Regards,
Mofassir
On Friday, 7 October 2016 12:15 AM, Linus Nordberg <linus(a)nordu.net> wrote:
Hi Mofassir,
Ah. I misunderstood your question.
No, there is no way to disable mutual TLS authentication since that
would be a bad idea from a security point of view and also violate the
standard (see RFC6614 section 2.3). (Thinking of it, one could probably
argue that disabling CN/SAN verification is a violation of the standard
too.)
Out of curiosity, what is your use case?
Mofassir Ul Haque <mofassir_haque(a)yahoo.com> wrote
Wed, 5 Oct 2016 22:56:20 +0000 (UTC):
Hi Linus ,
Thanks a-lot for your reply. I retried it after setting `certificateNameCheck off' in
Server block. However, it is still using mutual authentication (I am copying the packet
transfer between Client and Server below). The main difference which I could see was that
now it can establish TLS connection with non-matching CN name also.
To turn off mutual authentication i.e. Server should not ask for Client certificate in
Server Hello message. Is there any way to disable "SSL_VERIFY_PEER" in Server
code ?
Source Destination Protocol Info
192.168.1.100 192.168.1.2 TLSv1.2 Client Hello
192.168.1.2 192.168.1.100 TLSv1.2 Server Hello
192.168.1.2 192.168.1.100 TLSv1.2 Certificate <======= Server
Certificate
192.168.1.100 192.168.1.2 TLSv1.2 Certificate <======= Client
Certificate
192.168.1.2 192.168.1.100 TLSv1.2 New Session Ticket, Change Cipher
Spec, Encrypted Handshake Message
Regards,
Mofassir
On Wednesday, 5 October 2016 7:58 PM, Linus Nordberg <linus(a)nordu.net> wrote:
Mofassir Ul Haque <mofassir_haque(a)yahoo.com> wrote
Wed, 5 Oct 2016 00:19:55 +0000 (UTC):
Currently, radsecproxy supports mutual
authentication by default
i.e. both the Client and the Server certificate are validated at the
time of TLS connection establishment. However, I want to only validate
Server’s certificate. Is it possible to make changes to TLS Block
(radsecproxy.conf) or to code to only do the validation of Server
certificate's ? Any help will be greatly appreciated ! Thanks,
You can set `certificateNameCheck off' in a server block to disable
verification of client CN and SAN.