Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client-connect: High level security could allow TLS-Auth/Crypt keys by configuration #229

Open
TinCanTech opened this issue Oct 27, 2021 · 1 comment
Open

Client-connect: High level security could allow TLS-Auth/Crypt keys by configuration #229

TinCanTech opened this issue Oct 27, 2021 · 1 comment
Assignees
@TinCanTech
Labels
undecided This issue may be nothing

Comments

@TinCanTech
Copy link
Owner

Example:
#key_hwaddr_required=1 could still allow TLS-Auth/Crypt only key access ..

A slightly finer balance with #crypt_v2_required=1
@TinCanTech TinCanTech added the enhancement New feature or request label Oct 27, 2021
@TinCanTech TinCanTech added this to the Version 2.6 milestone Oct 27, 2021
@TinCanTech TinCanTech self-assigned this Oct 27, 2021
@TinCanTech
Copy link
Owner Author

Review this:

* Select the level of hardware-address verification required ?
+----------------------------------------
| TLS-Auth/Crypt and TLS-Crypt-V2 Server
+----------------------------------------
| [0] Low - Allow all keys to connect, hwaddr verification is not enforced.
|
| [1] Default - Do not require clients to push a hwaddr.
|     TLS-Crypt-V2 keys with a hwaddr mismatch will be disconnected.
|     TLS-Crypt-V2 keys without a hwaddr can connect.
|     TLS Auth and Crypt-v1 keys can connect.
|
| [2] Medium - Require all clients to push a hwaddr.
|     TLS-Crypt-V2 keys with a hwaddr mismatch will be disconnected.
|     TLS-Crypt-V2 keys without a hwaddr can connect but must push a hwaddr.
|     TLS Auth and Crypt-v1 keys can connect but must push a hwaddr.
+----------------------------------------
| TLS-Crypt-V2 ONLY Server
+----------------------------------------
| [3] Medium-High - Do not require clients to push a hwaddr.
|     TLS-Crypt-V2 keys without a Hardware-address can connect.
|
| [4] High - Require all clients to push a hwaddr.
|     TLS-Crypt-v2 keys without a hwaddr can connect but must push a hwaddr.
|
| [5] Very High - hwaddr verification is enforced on all clients.
|     TLS-Crypt-V2 key must have a hwaddr and client must push a hwaddr.

Possibly, have a new flag to allow TLS-Auth/Crypt at level 3-5 ?

@TinCanTech TinCanTech removed this from the Version 2.6 milestone Nov 9, 2021
TinCanTech referenced this issue Dec 2, 2021
@TinCanTech
Introduce new Level - [1] Low - Security setting for client-connect
41e4699 
| [0] Lowest - Allow all valid TLS-AUTH/Crypt/V2 keys to connect.
|     ALL TLS-Crypt-V2 key extended tests are NOT peformed.

*New*
| [1] Low - Functionally equivalent to [0] Low - Allow all..
|     Except, ALL TLS-Crypt-V2 key extended tests are peformed.
|     Same as default [2], except hwaddr-mismatches are IGNORED.

*Bumped* from [1]
| [2] Default - Do not require clients to push a hwaddr.
|     TLS-Crypt-V2 keys with a hwaddr mismatch will be disconnected.
|     TLS-Crypt-V2 keys without a hwaddr can connect.
|     TLS Auth and Crypt-v1 keys can connect.

Bumps all higher levels up by one.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech changed the title Client-connect: High level security should allow TLS-Auth/Crypt keys by configuration Client-connect: High level security could allow TLS-Auth/Crypt keys by configuration Jan 25, 2022
@TinCanTech TinCanTech added unresolved and removed enhancement New feature or request labels Jan 25, 2022
@TinCanTech TinCanTech added undecided This issue may be nothing and removed unresolved labels Feb 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
undecided This issue may be nothing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TinCanTech