Moscowchill

**Name of the Vulnerable Software and Affected Versions** Caddy versions prior to 2.11.1 **Description** Caddy, an extensible server platform that uses TLS by default, has an issue where mTLS client certificate authentication can silently fail open under certain conditions. Specifically, if a CA certificate file is missing, unreadable, or malformed, the server starts without error but accepts any client certificate signed by any system-trusted CA, bypassing the intended private CA trust boundary. This occurs because errors in the `ClientAuthentication.provision()` function are swallowed, preventing the server from recognizing the misconfiguration. The issue affects deployments using `trusted ca cert file` or `trusted ca certs pem files` for mTLS. The root cause lies in incorrect error handling within the `provision()` method in `modules/caddytls/connpolicy.go`, where `return nil` should be `return err` on lines 787 and 800. A proof-of-concept demonstrates that a client can successfully connect with any certificate, even a self-signed one, when the CA file is nonexistent. **Recommendations** Versions prior to 2.11.1 should be updated to version 2.11.1 or later to resolve this issue.