mTLS: When certificate authentication is done wrong

X.509 certificates have gained prominence in zero-trust networks for client authentication, particularly through mutual TLS (mTLS), which offers benefits over traditional methods like passwords or tokens but introduces complexity. This complexity can manifest in vulnerabilities such as user impersonation, privilege escalation, and information leakages, often due to improper implementation. The text explores specific vulnerabilities found in popular open-source identity servers, such as Keycloak and Apereo CAS, and demonstrates how these can be exploited, for example, through improper certificate validation or certificate revocation checks. It underscores the importance of understanding the nuances of mTLS, including certificate chain validation, the potential for LDAP and SQL injections through certificate stores, and the risk of SSRF and even remote code execution (RCE) if revocation checks are improperly executed. It highlights that these vulnerabilities can be identified and resolved by adhering to best practices in certificate handling, such as ensuring that only the first certificate in a chain is verified and carefully managing certificate store configurations.