Hi Linus,
I have to meet accreditation requirements and evaluators go by the book in-spite of the fact that mutual authentication is much better then normal authentication. Syslog over TLS provides an option in configuration file to use either of them. I was wondering if RFC6614 became a standard or not as currently it is an experimental RFC. Once again thanks alot for your help.
Regards, Mofassir
On Friday, 7 October 2016 12:15 AM, Linus Nordberg linus@nordu.net wrote:
Hi Mofassir,
Ah. I misunderstood your question.
No, there is no way to disable mutual TLS authentication since that would be a bad idea from a security point of view and also violate the standard (see RFC6614 section 2.3). (Thinking of it, one could probably argue that disabling CN/SAN verification is a violation of the standard too.)
Out of curiosity, what is your use case?
Mofassir Ul Haque mofassir_haque@yahoo.com wrote Wed, 5 Oct 2016 22:56:20 +0000 (UTC):
Hi Linus ,
Thanks a-lot for your reply. I retried it after setting `certificateNameCheck off' in Server block. However, it is still using mutual authentication (I am copying the packet transfer between Client and Server below). The main difference which I could see was that now it can establish TLS connection with non-matching CN name also.
To turn off mutual authentication i.e. Server should not ask for Client certificate in Server Hello message. Is there any way to disable "SSL_VERIFY_PEER" in Server code ?
Source Destination Protocol Info 192.168.1.100 192.168.1.2 TLSv1.2 Client Hello 192.168.1.2 192.168.1.100 TLSv1.2 Server Hello 192.168.1.2 192.168.1.100 TLSv1.2 Certificate <======= Server Certificate 192.168.1.100 192.168.1.2 TLSv1.2 Certificate <======= Client Certificate 192.168.1.2 192.168.1.100 TLSv1.2 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
Regards, Mofassir
On Wednesday, 5 October 2016 7:58 PM, Linus Nordberg linus@nordu.net wrote:
Mofassir Ul Haque mofassir_haque@yahoo.com wrote Wed, 5 Oct 2016 00:19:55 +0000 (UTC):
Currently, radsecproxy supports mutual authentication by default i.e. both the Client and the Server certificate are validated at the time of TLS connection establishment. However, I want to only validate Server’s certificate. Is it possible to make changes to TLS Block (radsecproxy.conf) or to code to only do the validation of Server certificate's ? Any help will be greatly appreciated ! Thanks,
You can set `certificateNameCheck off' in a server block to disable verification of client CN and SAN.