And if so, where do i start digging?

Thanks,

/Dany

The Client Authentication feature is disabled in the current version of ST 4.0. In TLS 1.2 and earlier, the feature is vulnerable at the protocol level, and I have been awaiting standardized guidelines for how to fix these vulnerabilities in the old protocol versions. Since there aren't any such standardized guidelines and probably won't be any, I will re-enable the feature with the proprietary counter measures in an upcoming version.

Please note that there typically aren't any good reasons for using this feature, except for compatibility with existing implementations (such as if you implement a new client for any existing server that requires client certificate authentication). The feature is impossible to implement efficiently, it is poorly designed at the protocol level and most implementations that do use it, do so in a manner that amplifies the security vulnerabilities.

One exception would be if your clients have hardware certificates, e.g. on smart cards. In such case TLS client certificate authentication might ideally provide higher security than typical password authentication schemes.

What I meant to ask was:

- Do you need the actual TLS client certificate feature and in such case do you need it ASAP?
- Do you have specific security requirements, rather than specific technical compatibility requirements, and in such case, which?

Ah! Brilliant answer as usual. You saved me lots of googling.

To answer you questions;

- No.
- No.

I'll continue on my initial track. Actually, TLS client auth is not very suitable in this scenario for many other reasons. One of them being the fact that i would like to have "this" server behind a router that already manages all server TLS stuff. I put the question here in order to avoid "reinventing the wheel" or making a bad decision.

Thanks a lot!

/Dany