SSLVerifyClient did not exactly work out of the box on our apache2
server, and I don't have
liberty to experiment with it ...
pam_url with HMAC-SHA-2 just works, and I believe it has sound logic:
HMAC-SHA-256 protected the
URL POST fields from tampering in the man-in-the-middle attacks and the
script return code.
However, brute forcing CGI PHP script presents a problem, and mTLS still
seems like a way to do it, if only
I could make it work for me.
Mirsad
On 2/7/2022 7:51 PM, Paul Wouters wrote:
If you feel the pam TLS calls needs more than server side cert verification,
you should look into client authentication, eg mTLS. Don’t invent your own
crypto.
Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
