Yunhong Li wrote:
>
> Steve wrote:
>
> >I've feel like I've answered this one aleph null times but maybe its
> >just my imagination...
>
> >When a server requests client auth it sends out a list of acceptable
> >CAs. With s_server in OpenSSL this list is in the file passed in the
> >-CAfile option it should be a PEM encoded set of acceptable CA
> >certificates.
>
> I don't think it is right. There is *no* need to (or cannot just) send out
> a list of acceptable CAs. When a server requests the client auth, it sends
> a certificate_request to the client. When the server receives the cert
> from the client, it verifies the cert using its CAs.
>
I was stating the effect rather than the precise protocol details of the
process. This was in the context of a newbie question.
You are correct that the certificate request message requests the client
certificate and that includes the list of acceptable CAs DNs. The list
is a mandatory requirement: see SSL v3 5.6.4
> The logic is reverse when a client requests a server auth.
>
The client does not request server auth.
The server certificate (if any) is sent after the server hello as a
certificate message. See SSLv3 5.6.2.
The server might however decide which (if any) certificate to include
based on the list of permitted ciphers in the cipher_suites field of the
client_hello message.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
