Tom Wu wrote: > When I specify the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag to > SSL_CTX_set_verify, it has the intended effect if I set it on the server > side; a client not presenting a cert is rejected. Setting this on the > client side does not appear to have the same effect; a server that does > not present a cert is still allowed to connect, so long as ADH > ciphersuites are enabled. Looking through the code, s3_srvr.c has code > that does this checking, whereas s3_clnt.c lacks it. Should a client > side SSL_CTX understand/implement the FAIL_IF_NO_PEER_CERT flag?
Hrrm. ADH ciphersuites don't use certs, if I'm not mistaken, so this behaviour makes a certain amount of sense. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
