netopeer2 icon indicating copy to clipboard operation
netopeer2 copied to clipboard
verified publisher icon CESNET

v2.2.13 : Client authentication in TLS

Open robbynet opened this issue 1 year ago • 2 comments

Hello, tls_callhome.xml example shared in example_configuration directory is setting both ca-certs and ee-certs. While in in ietf-netconf-server, we have the following specification : refine "client-authentication" { must 'ca-certs or ee-certs'; Questions :

  • So why setting both ca-certs and ee-certs in the example, while ietf Yang model is documented one or the other ?
  • Does NC Server support setting of only ca-certs ? Regards. Christian.

robbynet avatar Feb 01 '24 08:02 robbynet

It is using or meaning one, or the other, or both, not nor. Either a known CA certificate or a client certificate directly is needed to authenticate every client and in this case both are being set which does not break anything. I have tried it and it work only with either of them; I think we have not realized it is no longer needed after the last updates but I am not sure it is worth removing.

michalvasko avatar Feb 01 '24 08:02 michalvasko

Thanks for the confirmation

robbynet avatar Feb 01 '24 09:02 robbynet