Issue with MutualAuth
42 views
Skip to first unread message
Justin Backman
May 26, 2021, 12:57:26 PM5/26/21
to mountebank-discuss
I opened https://github.com/bbyars/mountebank/issues/620 but wanted to see if anyone here had the issue. I don't get rejected when using mutual auth but not providing a client certificate. Has anyone else run into this?
Brandon Byars
May 26, 2021, 1:24:31 PM5/26/21
to Justin Backman, mountebank-discuss
Hey Jusin,
The intention is not fail based on CA validation (to support self-signed certs for testing), but to still require a cert. I'll have to look if that's not right. My understanding from the node docs is that setting requestCert to true (the default), and rejectUnauthorized to false (which mountebank does) should get that behavior, but it appears there's more to it than that.
Apologies, the last ~3 months have been brutal from a work standpoint, so I'm well behind on integrating all PRs and fixing new bugs.
-Brandon
On Wed, May 26, 2021 at 11:57 AM Justin Backman <jbac...@jitonline.net> wrote:
I opened https://github.com/bbyars/mountebank/issues/620 but wanted to see if anyone here had the issue. I don't get rejected when using mutual auth but not providing a client certificate. Has anyone else run into this?
--
You received this message because you are subscribed to the Google Groups "mountebank-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mountebank-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mountebank-discuss/a8a37935-42ca-45c7-9b16-8ab59119431cn%40googlegroups.com.
Justin Backman
May 26, 2021, 1:55:18 PM5/26/21
to mountebank-discuss
The way I have seen Mutual Auth done before, there are three modes:
1. Don't request a client cert (No client cert auth) (don't request client cert)
2. Request a client cert but don't fail if one is not provided (Optional client cert auth) (request client cert but don't require)
3. Request a client cert and if it doesn't match a provided CA, fail (Required client cert auth) (request client cert and require)
Reading the docs:
1. Don't request a client cert (No client cert auth) (don't request client cert)
2. Request a client cert but don't fail if one is not provided (Optional client cert auth) (request client cert but don't require)
3. Request a client cert and if it doesn't match a provided CA, fail (Required client cert auth) (request client cert and require)
Reading the docs:
- rejectUnauthorized <boolean> If not false the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true. Default: true. <- This is require or not require client cert
- requestCert <boolean> If true the server will request a certificate from clients that connect and attempt to verify that certificate. Default: false. <- This is request or not request client cert
I believe that to fix this, two additional parameters should be added:
in https://github.com/bbyars/mountebank/blob/369a7c977f3eba6f64731383a37b0f3db64d7bfa/src/models/https/httpsServer.js#L19-L23 you need to add a ca element to the config that could be controlled by configuration
I also think making https://github.com/bbyars/mountebank/blob/369a7c977f3eba6f64731383a37b0f3db64d7bfa/src/models/https/httpsServer.js#L23 a configuration option would allow us to enforce this
in https://github.com/bbyars/mountebank/blob/369a7c977f3eba6f64731383a37b0f3db64d7bfa/src/models/https/httpsServer.js#L19-L23 you need to add a ca element to the config that could be controlled by configuration
I also think making https://github.com/bbyars/mountebank/blob/369a7c977f3eba6f64731383a37b0f3db64d7bfa/src/models/https/httpsServer.js#L23 a configuration option would allow us to enforce this
Reply all
Reply to author
Forward
0 new messages