Do web servers need to verify browser client certificates?

Question

I'm implementing an SSL layer for a web server project. I'm using polarSSL, though I think this question is a general SSL question.

When I get a connection to my server from a client I configure the SSL protcol like this:

ssl_set_endpoint( &mSsl, SSL_IS_SERVER );
ssl_set_authmode( &mSsl, SSL_VERIFY_NONE );

E.g. I'm not verifying the connection from the client. Do I need to do this?

Most browsers don't have client side certificates - though some do (I think). Is there any need or advantage for the server to verify the client? This is for a service where I would happily serve the data to a client that had no client side certificate at all.

score 1 · Accepted Answer · answered Jun 06 '13 at 20:11

1

Client-side authentication in SSL/TLS is used when it's required for the server to know its client. For example, it's widely used in banking, to access custom corporate servers etc.

In opposite, the common web server is intended to serve wide audience and not care about who's coming in. So client-side authentication is not used unless you know that you need it.

answered Jun 06 '13 at 20:11

Eugene Mayevski 'Callback

45,135
8
71
121

That's what I thought. Thanks for confirmation. – Rafael Baptista Jun 06 '13 at 20:59

Do web servers need to verify browser client certificates?

1 Answers1