@@ -123,11 +123,14 @@ All elements of the product that connect to servers providing security-relevant
#### 5.2.X.x **[MI-AUTH-1]** Authentication via pre-shared secrets
The VPN client shall require the use of pre-shared secrets, certificates, or fingerprints to authenticate any security-relevant server's identity, preventing connection to a masquerading server.
* Test: set up an unauthorized test server using a self-signed certificate not pre-shared with the VPN client, configure the client to attempt to connect to this unauthorized server
* Result: the VPN client shall refuse to connect and report a server authentication failure event, and shall not transmit any confidential information beyond the initial cryptographic handshake necessary for server authentication
* Documentation: network capture or log confirming the absence of confidential client data transmission, and the client's connection log showing the cryptographic refusal
The VPN client shall require the use of pre-shared secrets, certificates, or fingerprints to authenticate the identity of any security-relevant node involved in the VPN connection.
* Reference: TR-AUTH
* Objective: Prevent client trusting a masquerading node
* Preparation: For each method of authenticating the node's identity, set up a test node that provides invalid authentication responses
* Activities: For each method of authentication, make the VPN client to attempt to connect to the test node using this method of authentication
* Verdict: VPN client does not connect to node => PASS, otherwise FAIL
