Summary
A remote client can complete the inbound libp2p TLS handshake without presenting a certificate and without proving any libp2p peer identity. The server still creates a valid SecureSession for the connection, assigning a freshly generated synthetic Peer ID to the unauthenticated client.
Expected behavior
Remote client should provide a valid certificate and if the certificate is not valid then the connection should be closed.
Actual behavior
Remote client is not providing valid certificate still secure connection is getting established.
Would you like to work on fixing this bug ?
Yes
Credit
This issue was highlighted by Yann Lorwyn.
Summary
A remote client can complete the inbound libp2p TLS handshake without presenting a certificate and without proving any libp2p peer identity. The server still creates a valid
SecureSessionfor the connection, assigning a freshly generated synthetic Peer ID to the unauthenticated client.Expected behavior
Remote client should provide a valid certificate and if the certificate is not valid then the connection should be closed.
Actual behavior
Remote client is not providing valid certificate still secure connection is getting established.
Would you like to work on fixing this bug ?
Yes
Credit
This issue was highlighted by Yann Lorwyn.