If a client presents a certificate to the server, the certificate is validated according to Murmurs Client Truststore (MCTS), which by default contains murmurs own chain-of-trust as well as the hostmachines CAs. Without further ado, these are the options (the below explanations should be added to to wiki if this PR is accepted):ĪllowedClientSslErrors (default: AllowNoPeerCertificate, AllowSelfSignedCertificate, AllowSelfSignedCertificateInChain, AllowUnableToGetLocalIssuerCertificate, AllowUnableToVerifyFirstCertificate, AllowHostNameMismatch, AllowCertificateNotYetValid, AllowCertificateExpired) The default values of these options are set in a way, that if a server admin just ignores them, murmurs behaviour does not change compared to how it acts currently. To use this improvements, new options for murmur.ini are created. To clean this up, this PR introduces the Murmur Client Truststore (MCTS), which can be freely configured and is then used when deciding whether to trust a clients certificate or not.įinally, when a user provided a trusted certificate accepted by murmur, it may be desirable to force that user to use the name the certificate was issued to (as requested in #4940). In the current implementation of ssl handling, this is actually possible, but only to a certain extend and only by abusing some configuration options (more on this in the technical part). So this PR makes them configurable.Īfter being able to configure which errors should be ignored, a logical next step is to make it configurable whom to trust. In some usecases, this makes total sense, but in others it is necessary to act on them. While validating a clients certificate, multiple ssl exceptions can occur, but murmur ignores many of them (see #3523). This is in theory a very strong security approach, but murmur is limited when it comes to processing these client certificates. In current murmur, clients present certificates to murmur to proof their identity. This PR addresses SSL Error Configuration and Client Certificate Trusting (both #3523), as well as Username Client Certificate CN Equality ( #4940). This is a reopening of #4963 with a commit targeting #4960 removed, since it was rejected after discussion.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |