Page 1 of 1
SSTP works without certificate
Posted: Thu Dec 26, 2019 11:06 pm
by Porfavor
Hello,
can anyone explain how it is possible that an SSTP connection works without using a certificate (at windows clients that won't work and it shouldn't works also) using this app?
It there anything misconfigured at the server?
Re: SSTP works without certificate
Posted: Fri Dec 27, 2019 8:57 am
by admin
Do you speak about the certification authority or the client certificate used by EAP-TLS authentication protocol?
On windows the certification authority is mandatory and is used to verify the validity of the server certificate.
On my app the user can import the certification authority, but is optional. If the certification authority is not configured, on the first connection, the app show to the user the details about the server certificate, if the user allow the connection, the app save the server certificate and check it for each successive connection. This is done to simplify the VPN configuration.
The client certificate is used only if the server is configured with EAP-TLS authentication protocol. Anyway the server can be configured with multiple authentication protocols, and in this case the client can negotiate one of the other available authentication methods.
Re: SSTP works without certificate
Posted: Fri Dec 27, 2019 4:53 pm
by Porfavor
Hello,
thank you for your reply.
It then may have something to do with several authentication options. I'll have to have a look at that, I think.
I am talking about the client certificate which, on Windows Clients, needs to be created on the client and where a request to the server needs to be made. Or isn't the client request necessary with the current configuration? I am not familiar with certificates, yet, just played around with different VPN protocols and intend to stay with SSTP as it seems to work best.
Re: SSTP works without certificate
Posted: Fri Dec 27, 2019 5:09 pm
by Porfavor
Authentification options checked are "EAP" and "MS-Chap v2". On the windows client it's "EAP-MS-Chap v2". Is this supposed to need a client certificate? If not, what method would be the one to use for certficate authentification?
Re: SSTP works without certificate
Posted: Sat Dec 28, 2019 8:37 am
by admin
Both EAP-MS-CHAPV2 and MS-CHAPV2 are based on username and password.
To use the certificate you should use EAP-TLS.
On the server side it should be called like EAP Microsoft: Smart card or other certificate
Re: SSTP works without certificate
Posted: Sat Dec 28, 2019 6:42 pm
by Porfavor
Thank you for explaining. I did that now and it can't - as expected - connect as there is no certificate on/for the client. How am I able to create a certificate for an android client?
Re: SSTP works without certificate
Posted: Sun Dec 29, 2019 1:34 am
by Porfavor
Now, I am not able to access the LAN after connecting, which had worked before. I have no idea what's the issue. Have already played around with different settings. I am a bit confused about the IP4 routes, which tell me 10.61.61.2/32 (VPN range - okay), 0.0.0.0/1, 128.0.0.0/1.
The last two values seem not to be correct - I suppose, this should be 255.255.255.0, VPN server?
Re: SSTP works without certificate
Posted: Sun Dec 29, 2019 2:49 am
by Porfavor
Nevermind. A complete Restart of router and Server did it. It works again.