Raymond Popowich wrote:
One thing that I'd like some clarification on. Once I get this working, shouldn't there be a way for me to say I only want certain client side certificates to be able to connect to this web site? Otherwise anyone with a client side cert can connect. I'm sure I'm missing an important piece of information here and I just need to be pointed in the right direction.
If a server supports or requires client auth, it sends a cert request that includes what type of cert is required, and a list of DN's of recognized certificate authorities. If you do not present a cert signed directly by one of these, or a certificate chain that has a cert signed by one of these, the handshake will fail. See the spec: http://wp.netscape.com/eng/ssl3 SSL 3.0 Specification 5.6.4 Certificate request A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite. enum { rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), rsa_ephemeral_dh(5), dss_ephemeral_dh(6), fortezza_kea(20), (255) } ClientCertificateType; opaque DistinguishedName<1..2^16-1>; struct { ClientCertificateType certificate_types<1..2^8-1>; DistinguishedName certificate_authorities<3..2^16-1>; } CertificateRequest; certificate_types This field is a list of the types of certificates requested, sorted in order of the server's preference. certificate_authorities A list of the distinguished names of acceptable certificate authorities. Note: DistinguishedName is derived from [X509]. Note: It is a fatal handshake_failure alert for an anonymous server to request client identification. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
