-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SslStream client on Linux incorrectly reports that it is mutually authenticated #40314
Comments
Tagging subscribers to this area: @dotnet/ncl |
It seems like the code looks for availability of certificate for both sides. As you mentioned, that does not proof that sever actually asked for it. I don't know if OpenSSL has API to track that. |
The flag is false on Windows because of the following line |
The On Linux (and OSx as well), the #63200 already adds usage of |
Description
When using SslStream.AuthenticateAsClient with a client certificate, IsMutuallyAuthenticated is set to true even if the server did not request a client certificate and the client didn't send one. It should be false, as the client has not authenticated itself to the server (which is the behaviour on Windows).
I've written a short demo program: smbz/IsMutuallyAuthenticatedDemo. Just so it's here, the core is:
After the call to AuthenticateAsClient,
stream.IsMutuallyAuthenticated
is false on Windows but true on Linux.Configuration
This affects Linux but not Windows (I'm not sure about Mac).
Platform details:
Other information
A Wireshark dump verifies that the server doesn't request a client certificate. I can provide the dump file if needed, but I won't make it public because of MAC addresses.
This is not a security vulnerability because it does not affect the authentication of the client to the server or the server to the client. It only makes the client think that it has authenticated itself to the server.
The text was updated successfully, but these errors were encountered: