TLSWrap supports the following Public Key Infrastructure (PKI) security modes:
|Security Mode: 0||Vanilla TLS||No certificate verification is done. (Default for now.)|
|1||Relaxed whitelisting||On the first connection to a server, its certificates (control and
data connections are treated separately, for quite obvious reasons), will
will be saved in the certs dir (see the ChangeLog) as <server-ip>-<data/ctrl>.pem.
On subsequent connections, TLSWrap will verify the stored certificates against those presented by the server. If the control connection certificate doesn't match, tlswrap will say "530 TLSWrap certificate verification failed, disconnecting." and disconnect. If the data certificate doesn't match, it will print "425 TLSWrap data certificate verification failed.", the data transfer will be aborted but TLSWrap will stay connected with the server.
No other checks (such as expiration dates, CRLs, CAs) will be made on the certificates.
|2||Strict whitelisting||Identical to mode 1 above, but with the difference that no new certificates will be added. If TLSWrap can't find certificate file(s) for a server, it will just disconnect.|
|3||Relaxed PKI path validation|| This mode requires one or more X.509 CA certificates (or certificate chains)
in the form of a PEM file. All certificates must be valid.
Upon connection with a server, an encrypted TLS session is first eshtablished. This yields the server's X.509 certificate which is validated using the previously specified CA certificate chain(s). No certificate fields are used.
|4||Strict PKI path validation||This works like above mode, but the certificate information is verified as
If the X.509v3 subject alternative name extension is present, then the DNS name and IP address fields will be matched against the server's. If there is no subjectAltName extension the commonName (CN) will be compared against the DNS name. If either check fail then the connection will be terminated.
## This is the proper way to use X.509 certificates ##
Set the default security mode with -s <mode> or dynamically with the connection string +<mode>user@host:port