-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS Client Authentication #1151
base: dev-next
Are you sure you want to change the base?
Add TLS Client Authentication #1151
Conversation
Update gVisor to 20231113.0
Introduce a feature to require and verify client certificate to provide mutual authentication in TLS.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as spam.
This comment was marked as spam.
mTLS is an established protocol and the SSL error you mention is expected. The peers communicating using mTLS need to use certificates which are signed by a self-issued root certificate, meaning such networks are not available for public access and usual one way TLS connections are not allowed. So it is meaningless to implement a fallback since it completely invalidates the mTLS processes. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as abuse.
This comment was marked as abuse.
fix typo in tls.zh.md Signed-off-by: jose-C2OaWi <[email protected]>
This is absurd, regarding the diagram you have sent, the server asks for certificate from client (which tells the client that the protocol being used is mTLS and not TLS) whereas in normal TLS no such operation is performed. By simply accepting the GFW's invalid certificate and serving a webpage you are practically violating the protocol you are advertising to conform to and this is a much severer footprint than correctly rejecting the GFW's invalid certificate. |
bbea3aa
to
a75d45e
Compare
4cbb736
to
927865e
Compare
Signed-off-by: jose-C2OaWi <[email protected]>
b759111
to
733c14d
Compare
be13007
to
492934f
Compare
Add a feature for Issue 1054
Credits:
@ginuerzh for the implementation of gost