@@ -517,16 +517,18 @@ The VPN client and server shall implement data validity checks on all incoming p
All elements of the product that connect to nodes providing security-relevant services shall authenticate the node before using any services from the node.
#### 5.2.8.2 MI-AUTH-1 Authentication via pre-shared secrets
#### 5.2.8.2 MI-AUTH-1 Authentication of security-relevant nodes
The VPN client shall require the use of pre-shared secrets, certificates, or fingerprints to authenticate the identity of any security-relevant node involved in the VPN connection.
The VPN client shall require the use of pre-shared secrets, certificates, or fingerprints to authenticate the identity of any security-relevant node involved in the VPN connection and establish an initial secure connection.
Guidance: Some options may be: TLS certificates already installed on the platform, configuration files containing secrets, credentials provided as part of the product, fingerprints of keys that are distributed on a website or in accompanying documentation, along with instructions to the user on how to verify them.
* Reference: TR-AUTH
* Objective: Prevent client trusting a masquerading node
* Preparation: For each method of authenticating the node's identity, set up a test node that provides invalid authentication responses
* Activities: For each method of authentication, make the VPN client to attempt to connect to the test node using this method of authentication
* Preparation: For each method of authenticating the security-relevant node's identity, set up a test node that provides invalid secrets, certificates, or fingerprints
* Activities: For each method of authentication, make the VPN client to attempt to connect to the test node using this method of authentication, and follow user instructions on how to approve authentication, if any
* Verdict: VPN client does not connect to node => PASS, otherwise FAIL
