You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was hoping to be able to authenticate with this proxy using client tls auth. So I generated a server cert+key from my custom ca, and generated a client+key from the same custom ca. I then started the application which the following args:
I then connected using openssl's s_client, using the client cert and key, and saw that it worked.
I then removed the client and key to get rid of the client auth and repeated the experiment with s_client. It still worked. It was not denying my access due to the lack of client TLS.
So I re-read the docs and noticed that you're supposed to supply a crl file too. So I generated one for the CA using easyrsa gencrl and restarted the server with the args:
No difference. It still allowed proxying whether or not I do client tls. However, this time it spits out an extra error that the CRL doesn't match the CA at startup:
{"level":"info","msg":"warn: CRL loaded for issuer 'ee6a2f448e7c9b7a2b8955a50bc34da7bacc3509' but no such CA loaded: ignoring it\n","time":"2021-12-14T10:56:28.0796894Z"}
0 loaded certs
info: Loaded CA with Authority ID 'ee6a2f448e7c9b7a2b8955a50bc34da7bacc3509'
{"level":"info","msg":"starting","time":"2021-12-14T10:56:28Z"}
You'll notice that the two hashes are the same and that the CRL error comes before the "Loaded CA" log. Not sure if that's relevant. I tried changing the order of the command line args and it made no difference.
Now, I could be misunderstanding what these args do, or there could be a bug, I'm not sure. I just want to be able to tell the server to only allow proxying when client tls has occurred and the clients cert is signed by the provided CA. Is that an option?
The text was updated successfully, but these errors were encountered:
I was hoping to be able to authenticate with this proxy using client tls auth. So I generated a server cert+key from my custom ca, and generated a client+key from the same custom ca. I then started the application which the following args:
I then connected using openssl's s_client, using the client cert and key, and saw that it worked.
I then removed the client and key to get rid of the client auth and repeated the experiment with s_client. It still worked. It was not denying my access due to the lack of client TLS.
So I re-read the docs and noticed that you're supposed to supply a crl file too. So I generated one for the CA using
easyrsa gencrland restarted the server with the args:No difference. It still allowed proxying whether or not I do client tls. However, this time it spits out an extra error that the CRL doesn't match the CA at startup:
You'll notice that the two hashes are the same and that the CRL error comes before the "Loaded CA" log. Not sure if that's relevant. I tried changing the order of the command line args and it made no difference.
Now, I could be misunderstanding what these args do, or there could be a bug, I'm not sure. I just want to be able to tell the server to only allow proxying when client tls has occurred and the clients cert is signed by the provided CA. Is that an option?
The text was updated successfully, but these errors were encountered: