Comments (5)
Do you mean keymaster's CA cert as dowloaded from https://keymaster.example.com/public/x509ca. I dont understand te question (why would clients want this cert anyway?). Or if its something else can you explain an provide steps for reproducing?
from keymaster.
@bjhaid Ping?
from keymaster.
I dont understand te question (why would clients want this cert anyway?).
This certs need to be trusted on the clients machine to prevent the continuous prompts to manually trust the certificate. To prevent the CA from being used to issue a server cert that can MITM the user's traffic, the CA needs to explicitly indicate it is only used for signing clients certs and nothing more. As it is today the CA can be used to sign both server and client certificates.
from keymaster.
@bjhaid what OS/browser combination are you seeing?
The expected behavior (when using a browser) is:
- The browser connects to the server and in the TLS handshake asks for an optional client side certificate. The server side certificate should be signed by a trusted authority.
- There should not be a need to inject the keymasterCA to users's browser, it should only be needed by servers that want to trust keymaster x509 certificates for clients (and while we could add the needed x509 flags) I am confused by the ask.
- The clients should try to NOT use the optional cert (but chrome does not do this, instead is asks if there is any cert client want to use, and users should cancel/ignore this). After this no more client interaction is expected.
Can you detail here the behaviour you are seeing? and what are you expecting?
from keymaster.
the behavior I am seeing is:
- browser asks me for client cert to present to server as below(issuer and serial intentionally grayed out) :
- I get the prompt in asking to trust as in the screenshot
When I had not trusted the server's CA I would get prompt number 2 every time I tried logging into keymaster/cloudgate. To prevent that from happening, rather than requiring every user to manually trust the cert we can instead distribute it to the users.
from keymaster.
Related Issues (20)
- Support openid PKCE code flow (RFC 7636) HOT 1
- Older Yubikeys do not work (but work elsewhere with U2F!)
- Gnome Loads Bad Keys
- SameSite Unset in auth_cookie HOT 1
- Fix test regression on moving location of temporary keymaster cert. HOT 1
- cloud-foundations.org has been lost? HOT 3
- When using okta, the UI does not mention that a push has been sent (web). HOT 1
- oauth2 login loses openid_connect_idp redirect destination HOT 3
- newer Firefox fails to attempt U2F validation
- FEATURE REQUEST: Make "needs bootstrap flow" explicit. HOT 2
- FEATURE REQUEST: Copy button on a token webpage (keymaster 1.9.1)
- U2F redirect comes w/ semicolons HOT 5
- Chrome 96 - U2F being deprecated. HOT 2
- AJAX requests with the oidc golib and keymaster HOT 2
- Yubikey fails first time with Mac client HOT 1
- keymaster cli doesn't work w/ keymaster behind AWS ALB HOT 2
- github.com/duo-labs/webauthn is deprecated
- difficulty enrolling Yubikey HOT 1
- Keymaster timing out on RDS access HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keymaster.