Community discussions

MikroTik App
 
Santi70
just joined
Topic Author
Posts: 21
Joined: Mon Sep 07, 2020 12:35 am

SSPT and certificate use

Thu Nov 10, 2022 1:47 pm

Hello, I have created an SSTP server from my mikrotik hAP_ac2 with version 7.6, I created the signed CA and SERVER certificates.
When connecting it to a Windows 11 PC and installing the CA certificate on it, the VPN connects fine, without the certificate it does not connect.
The server is configured like this:
SSPT.jpg
However, I installed the SSTP Max application on my Android mobile.

https://play.google.com/store/apps/deta ... l=US&pli=1

With it I was able to connect to the VPN with only the username and password, without the need for the certificate.
My doubt, what role does the certificate play in this case?
I always thought that the certificate was also necessary on the client side to achieve a more secure connection.
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1547
Joined: Sat May 05, 2018 11:55 am

Re: SSPT and certificate use

Thu Nov 10, 2022 2:03 pm

It is, if the client does not verify the server certificate chain then you are open to man-in-the-middle attacks.
 
Santi70
just joined
Topic Author
Posts: 21
Joined: Mon Sep 07, 2020 12:35 am

Re: SSPT and certificate use

Thu Nov 10, 2022 8:08 pm

Let's see if I understand, the server allows the connection of any client without a certificate?
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSPT and certificate use

Thu Nov 10, 2022 8:19 pm

Let's see if I understand, the server allows the connection of any client without a certificate?
Yes, that's how Microsoft has designed it. It is only the client that checks the authenticity of the server using a certificate - the certificate Subject-Alt-Name field must contain the IP address or the FQDN to which the client is configured to connect. And only if this is true, the client will accept the authentcation challenge and send the username and the challenge hashed using the password in response.

The app you mention does allow some certificate related settings in the SSL part of the setup.

Mikrotik supports deviation from the Microsoft standard in both ways - it can use a certificate also to authenticate the client, but at the other hand it can also let the client ignore the server certificate, or at least let it not verify that the SAN field matches the IP or FQDN, i.e. it can be set to accept any certificate signed by a certification authority it trusts.
 
Santi70
just joined
Topic Author
Posts: 21
Joined: Mon Sep 07, 2020 12:35 am

Re: SSPT and certificate use

Thu Nov 10, 2022 10:22 pm

So any client can connect to the server just by knowing the username and password?
From the server side is there any extra way to ensure that the client connecting is the correct one apart from knowing the username and password?
Thank you
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSPT and certificate use

Fri Nov 11, 2022 12:13 am

From the server side is there any extra way to ensure that the client connecting is the correct one apart from knowing the username and password?
In the Microsoft design, no. The server will accept any client with the proper username and password.

Mikrotik acting as a server can check a client certificate, but the Microsoft client is unable to present it, so if you want Microsoft clients to connect, you cannot require that check on Mikrotik side.

For mutual authentication using certificates, you have to use IKEv2, On Android, it is embedded on contemporary versions and available using Strongswan on older ones.
 
Santi70
just joined
Topic Author
Posts: 21
Joined: Mon Sep 07, 2020 12:35 am

Re: SSPT and certificate use

Fri Nov 11, 2022 11:16 am

Thank you, I understand. I thought authentication only by username and password was not completely secure.
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSPT and certificate use

Fri Nov 11, 2022 12:27 pm

Nothing is completely secure, and in general, username/password is indeed less secure than a certificate.

Who is online

Users browsing this forum: Bing [Bot] and 15 guests