Murmur 1.2.2 Linux & Mumble 1.2.2 Windows
ISSUE: Client certificate not allowing multiple users on one pc to connect to same server
If user1 connects to murmur server1 then user2 connects to murmur server1 user2 will be logged in as user1. If client certificate is revoked or changed user2 can connect as user2. This happens 100% in my case user1 is registered and user2 is unregistered. This issue is either due to client caching or binding client certificate to client and not user. Check needs to be added for username change and allow non registered user. Furthermore this password exchanged technique is similar to PGP implementations and has severe exploits. Due to the nature of this project, client certificates not issued by a murmur server are just asking for being exploited. I recommend removal of client certificate in lieu of option to register on a murmur server through a wizard in client w/ ssl or encryption defined by murmur server attempting to register with. I have been able to exploit the client certificate easily. below is example of fields necessary:
This implementation would also solve creating new users issue since no good new user creation interface exists in the community for unattended end user registration. using ACL & Groups, admins can still require adding to group before access to channels and change server registration password or disabling registration if required by application.