Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
@mhoye _Specifically_ that the client must be manually configured to trust the issuer? Not in any commonly-deployed configuration I'm aware of, no. TLS implementations tend to make very little distinction between system, managed, and user-provided trust roots.
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
@mhoye I suppose https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security will be a possible solution.
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
@mhoye You could get partway to what it seems like you want by having W require a _client_ certificate, signed by A, for any TLS connection, but then you have to provision client certs for each client - not just configure them to trust A.
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
@mhoye closest thing I've ever seen is in Radius, where the Radius *server* gets a TLS Alert "bad certificate" whenever a client fails to connect to it due to a failure in the server cert validation.
Maybe TLS Alert is a good keyword to look into (http://www2.gnutls.org/manual/html_node/The-TLS-Alert-Protocol.html)
-
@mhoye closest thing I've ever seen is in Radius, where the Radius *server* gets a TLS Alert "bad certificate" whenever a client fails to connect to it due to a failure in the server cert validation.
Maybe TLS Alert is a good keyword to look into (http://www2.gnutls.org/manual/html_node/The-TLS-Alert-Protocol.html)
@mhoye yeah... nginx does not provide a variable with a server cert verification error, apache doesn't seem to have any similar tool as well.
Also thinking about this, if a client trusts the server cert directly without having the CA cert installed, it wouldn't send a TLS alert. The connection will just succeed.
If you're going to be installing a custom cert on the clients, you might as well make it a client cert. This has the benefit of using a tried and tested authentication method.
-
Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?
I mean "get the page at all", not "have a fallback option" or "see a warning".
I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.
@mhoye it sounds like you’re looking for mutual authentication? https://en.wikipedia.org/wiki/Mutual_authentication
-
R relay@relay.infosec.exchange shared this topic
