Project

General

Profile

Lighttpd Server requests for Client Certificate in TLSv1.2 when using Basic Authentication

Added by ginugeorgeami about 1 month ago

Hello All,

I am using the below mentioned version of lighttpd server

The application supports two types of authentication - Basic Authentication and Client Certificate Authentication.

To enable the Client Certificate Authentication, we have added the below configuration on top of the default lighttpd configuration

When a client requests for a REST API via Basic Authentication mechanism by enforcing TLSv1.2 , the Server requests for the Certificate from the Client. This we can observe plainly from the wireshark packets captured :

When the very same client requests for a REST API via Basic Authentication mechanism by enforcing TLSv1.3, we do not observe any Client Certificate request from the Server as shown below :

Is this behaviour of "the Server requesting the Certificate from the Client even when the Client opts for Basic Authentication" expected ? or is there any configurable option to disable the Server from requesting the CLient Certificate ? Any suggestions or inputs are welcome.

Regards,
Ginu George


Replies (3)

RE: LIghttpd Server requests for Client Certificate in TLSv1.2 when using Basic Authentication - Added by gstrauss about 1 month ago

Is this behaviour of "the Server requesting the Certificate from the Client even when the Client opts for Basic Authentication" expected ?

You are confusing separate concepts.

TLSv1.2 and TLSv1.3 are different and TLSv1.3 may handle client certificate request differently.

TLS negotiation occurs before the encryped HTTP request. If the TLS negotiation did not occur beforehand, then the HTTP request would not be encrypted. If lighttpd is configured to request client certificate auth, then lighttpd does so during TLS negotiations, and this happens before the HTTP request and therefore before it is known whether or not the client sent an HTTP request containing Basic Auth Authorization request header.

or is there any configurable option to disable the Server from requesting the CLient Certificate ?

ssl.verifyclient.activate

However, as noted above, the HTTP request is not known before TLS negotiation, so ssl.verifyclient.activate must be configured before TLS negotiation, and is therefore effective only in lighttpd.conf global config scope and $SERVER["socket"] config scope.

Aside: lighttpd 1.4.45 (released Jan 2017) is outdated. Your systems are running ancient software, and are likely also running ancient openssl libraries which may have known bugs or vulnerabilities. You should strongly consider updating your systems. The current lighttpd release is lighttpd 1.4.67 (released Sep 2022), and lighttpd 1.4.68 is scheduled to be released in Jan 2023. Your systems are at least 22 (!!!) lighttpd releases out-of-date!!!

RE: LIghttpd Server requests for Client Certificate in TLSv1.2 when using Basic Authentication - Added by ginugeorgeami about 1 month ago

@gstrauss Thanks for the quick reply.

TLSv1.2 and TLSv1.3 are different and TLSv1.3 may handle client certificate request differently.

We would like to know in terms of handling client certificate request, how different is TLSv1.3 from TLSv1.2.

RE: LIghttpd Server requests for Client Certificate in TLSv1.2 when using Basic Authentication - Added by gstrauss about 1 month ago

We would like to know in terms of handling client certificate request, how different is TLSv1.3 from TLSv1.2.

Cool. Sounds like you have some research to do. A search engine is a good place to start.

    (1-3/3)