Enable TLS-only client authentication by default

Fredrik Orderud · Fredrik Orderud · commit df9cfd315226 · 2022-10-25T10:33:01.000+02:00
Done to make default builds of this EST server better conform to RFC 7030 that recommend TLS-based client authentication, whereas HTTP-based authentication is optional.

Extract from RFC 7030 section 3.3.2. TLS-Based Client Authentication:
TLS client authentication is the RECOMMENDED method for identifying EST clients.  HTTP-based client authentication (Section 3.2.3) MAY be used.
diff --git a/example/client/README b/example/client/README
@@ -117,8 +117,7 @@ To run the example:
 5.  Optionally, you can use a certificate to identify the EST client
     to the server instead of specifying the HTTP user name/password.  
     Now that you've enrolled a certificate in step #3
-    above, you can use that certificate to enroll again. Note, your
-    EST server should be configured not to force HTTP authentication. 
+    above, you can use that certificate to enroll again.
 
     First, convert the pkcs7 cert from step 3 to a PEM cert:
 
diff --git a/example/server/estserver.c b/example/server/estserver.c
@@ -93,7 +93,6 @@ static int http_digest_auth = 0;
 static int http_basic_auth = 0;
 static int http_token_auth = 0;
 static int http_auth_disable = 0;
-static int disable_forced_http_auth = 0;
 static int enable_enhcd_cert_auth = 0;
 static int set_cert_auth_ah_pwd = 0;
 static EST_ECA_CSR_CHECK_FLAG enhcd_cert_csr_check_on = ECA_CSR_CHECK_OFF;
@@ -232,7 +231,6 @@ static void show_usage_and_exit (void)
             "  -t           Enable check for binding client PoP to the TLS UID\n"
             "  -m <seconds> Simulate manual CA enrollment\n"
             "  -n           Disable HTTP authentication (TLS client auth required)\n"
-            "  -o           Disable HTTP authentication when TLS client auth succeeds\n"
             "  -h           Use HTTP Digest auth instead of Basic auth\n"
             "  -b           Use HTTP Basic auth.  Causes explicit call to set Basic auth\n"
             "  -p <num>     TCP port number to listen on\n"
@@ -2244,9 +2242,6 @@ int main (int argc, char **argv)
         case 'n':
             http_auth_disable = 1;
             break;
-        case 'o':
-            disable_forced_http_auth = 1;
-            break;
         case 'v':
             verbose = 1;
             break;
@@ -2509,14 +2504,13 @@ int main (int argc, char **argv)
             exit(1);
         }
     }
-    if (disable_forced_http_auth) {
-        if (verbose)
-            printf(
-                "\nDisabling HTTP authentication when TLS client auth succeeds\n");
-        if (est_set_http_auth_required(ectx, HTTP_AUTH_NOT_REQUIRED)) {
-            printf("\nUnable to disable required HTTP auth.  Aborting!!!\n");
-            exit(1);
-        }
+
+    if (verbose)
+        printf(
+            "\nDisabling HTTP authentication when TLS client auth succeeds\n");
+    if (est_set_http_auth_required(ectx, HTTP_AUTH_NOT_REQUIRED)) {
+        printf("\nUnable to disable required HTTP auth.  Aborting!!!\n");
+        exit(1);
     }
 
     if (http_digest_auth) {
