-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Make client-side authentication methods optional #501
Comments
+1 to removing this restriction. I think the rationale for this was to protect users against insecure setups, but forcing this on the client side doesn't look very useful. Trying to warn/prevent server setups with no client authentication mechanism in place should be enough. |
This if should be keep, a new config directive, like |
A potential workaround is define username/password inline (use dummy values):
|
verify-client-cert none |
Hi,
I would like to discuss about mandatory client-side authentication methods, such as --cert/--key, --pkcs12, or --auth-user-pass
Currently, I had something in my find to fully delegate the authentication to WEBAUTH protocol.
WEBAUTH does not require client certificates and username/pass authentication is done via web browser. That also make auth-user-pass obsolete.
Running a OpenVPN server with
works fine, but from client side, it's an requirement to configure client certificates or
auth-user-pass
.A configuration without client-side authentication methods produces an config error:
which I would like to eliminate.
In such cases, I prefer
tls-crypt-v2
ortls-crypt
options as initial authentication as additional security layer.The current workaround is one pair of client certificates which I have to use at each client.
The text was updated successfully, but these errors were encountered: