search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.19k stars 2.54k forks source link

Consider removing TLS's verification modes NONE and OPTIONAL #8659

Closed mpg closed 3 weeks ago

mpg commented 8 months ago

From a security perspective (and even from a compliance perspective when it comes to 1.3) we should not make it easy for clients to skip server authentication.

Also from a security perspective, the TLS handshake assumes the certificate chain is validated during the handshake. Postponing validation to after the handshake can contribute to issues like the Triple handshake attack (which relies on a lot more than that, though).

So, I'm suggesting we:

Instead, people who really want those can still emulate them by using the verify callback. That's less convenient, and I see this as a feature: potentially reducing the security of the protocol is not something we should make easy.

gilles-peskine-arm commented 3 months ago

See https://github.com/Mbed-TLS/mbedtls/issues/7080 for more discussion on the client side.

On the server side, why would we remove OPTIONAL? It does make sense sometimes to accept both authenticated and unauthenticated clients. For example a server that shows public data to all clients, but gives authenticated clients extra privileges.

mpg commented 3 weeks ago

On the server side, why would we remove OPTIONAL? It does make sense sometimes to accept both authenticated and unauthenticated clients. For example a server that shows public data to all clients, but gives authenticated clients extra privileges.

Right, I don't what I was thinking, OPTIONAL is clearly useful on the server side (for client authentication).

So, I'm closing this in favour of #7080.