Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS: client certificates validation #830

Open
krizhanovsky opened this issue Aug 31, 2017 · 0 comments
Open

TLS: client certificates validation #830

krizhanovsky opened this issue Aug 31, 2017 · 0 comments
Labels
enhancement TLS Tempesta TLS module and related issues
Milestone
backlog

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Aug 31, 2017
edited

There should be a configuration option which requires to validate clients' certificates. The functionality requires DNS resolving, so user- vs kernel- space implementation is TBD (see net/dns_resolver). Basically, the same implementation issues as for #769 (Full TLS proxying). In this sense DoH #1104 as a DNS recursive server would be beneficial.

Requires OCSP stapling, #831. For a server that is often dealing with many clients, all with certificates from the same CA, CRL checking can be significantly more efficient than OCSP because the CRL can be downloaded once per day instead of needing to check OCSP for every connection.

Tests

Frankencert fuzzing (see the original paper) can be used for testing.
@krizhanovsky krizhanovsky added this to the 1.0 WebOS milestone Aug 31, 2017
@krizhanovsky krizhanovsky added the TLS Tempesta TLS module and related issues label Apr 28, 2020
@krizhanovsky krizhanovsky mentioned this issue Aug 13, 2020
Open
@vankoven vankoven mentioned this issue Dec 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement TLS Tempesta TLS module and related issues
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
1 participant
@krizhanovsky