easy-tls icon indicating copy to clipboard operation
easy-tls copied to clipboard

Published 20 hours ago verified publisher icon TinCanTech

Only one type of TLS key is supported per X509 client certificate

Open TinCanTech opened this issue 3 years ago • 2 comments

Each X509 client certificate can only use (have an inline for for) one of the following keys:

  • One inline-file per X509 client certificate - to - One TLS-Auth-key.
  • One inline-file per X509 client certificate - to - One TLS-Crypt-key. These two type of inline file are mutually exclusive.

With TLS-Crypt-V2 keys:

  • One inline-file per TLS-Crypt-V2 key - to - One X509 client certificate. The X509 client certificate for unique TLS-Crypt-V2 keys can be used an unlimited number of times.

No X509 client certificate can have inline-files for TLS-Crypt-V2 and any other TLS key at the same time.

TinCanTech avatar Jun 10 '21 16:06 TinCanTech

It may be possible to over-ride current behaviour, to allow multiple type of TLS key per X509 client certificate with a switch for easytls-verify.sh. The switch would still detect clients which should be using TLS-Cryp-V2 keys but allow them to connect anyway.

This is a bad idea -- Inline files without a subkey-name are always mutually exclusive.

TinCanTech avatar Jun 10 '21 17:06 TinCanTech

#191

TinCanTech avatar Jun 26 '21 17:06 TinCanTech