On Tue, Feb 13, 2018 at 9:33 AM, Emmanuel Deloget <log...@free.fr> wrote:
> Hello, > > On Tue, Feb 13, 2018 at 7:14 AM, Kyle Hamilton <aerow...@gmail.com> wrote: > > > The only thing that the server can know is whether the client has > > terminated the connection with a fatal alert. If the client validates > > presented cert chains, then its continuation with the connection means > > that it passed validation. If the client does not, or ignores any > > given error, then it doesn't mean that it passed validation. > > > > In other words, you can only know if the client's applied policy > > allows the connection to continue. You cannot know if the policy that > > was applied was specifically related to the certificate chain > > presented. > > > > -Kyle H > > > > On Mon, Feb 12, 2018 at 10:06 PM, J Decker <d3c...@gmail.com> wrote: > > > Is there a way for a server to know if the client verified the cert > chain > > > successfully or not? > > > > From a security PoV, that doesn't help much. One can build a malicious > version of openvpn that will tell you "everything's ok" (or "it failed!", > depending of its goal). The server should not make any decision w.r.t. the > client state (that's more or less what is implied by Kyle's answer ; I just > wanted to stress it). > > Yes that is true.... however here's the scenario. Client does a verification and passes or fails, and via the SSL layer I can query if the client validated the certificate. If it failed, provide a option for the client to get a renewed certificate for verification. If success, no action. If an actor lies in this scenario he answers lies *yes* and didn't, don't give him a means to actually verify. *noop* lies *no* but did, then give him the root cert he already has.... *noop* so I don't have to trust the reply.... I'm willing to give him the right root. > BR, > > -- Emmanuel Deloget >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
