Closed mpg closed 3 weeks ago
See https://github.com/Mbed-TLS/mbedtls/issues/7080 for more discussion on the client side.
On the server side, why would we remove OPTIONAL? It does make sense sometimes to accept both authenticated and unauthenticated clients. For example a server that shows public data to all clients, but gives authenticated clients extra privileges.
On the server side, why would we remove OPTIONAL? It does make sense sometimes to accept both authenticated and unauthenticated clients. For example a server that shows public data to all clients, but gives authenticated clients extra privileges.
Right, I don't what I was thinking, OPTIONAL is clearly useful on the server side (for client authentication).
So, I'm closing this in favour of #7080.
From a security perspective (and even from a compliance perspective when it comes to 1.3) we should not make it easy for clients to skip server authentication.
Also from a security perspective, the TLS handshake assumes the certificate chain is validated during the handshake. Postponing validation to after the handshake can contribute to issues like the Triple handshake attack (which relies on a lot more than that, though).
So, I'm suggesting we:
MBEDTLS_SSL_VERIFY_NONE
only available server-side.MBEDTLS_SSL_VERIFY_OPTIONAL
entirely - the documentation already recommends against it.Instead, people who really want those can still emulate them by using the verify callback. That's less convenient, and I see this as a feature: potentially reducing the security of the protocol is not something we should make easy.