> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 09, 1999 3:58 PM
> To: [EMAIL PROTECTED]
> Cc: Wade L. Scholine
> Subject: Re: Using multiple CA certs for client verification
>
>
> Wade L. Scholine <[EMAIL PROTECTED]>:
>
> > I have been using client verification with one CA cert by doing an
> > SSL_CTX_load_verify_locations() with the file arg pointing
> to a filename
> > and the path arg null.
> >
> > I want to extend this to accept client certs from multiple CAs.
> > Scanning back through my archive of this list I see the following
> > from Bodo Moeller, which seems to imply that what I am already doing
> > should not work:
>
> >> A likely error is that your server does not send the list
> of accepted CAs.
> >> SSL_CTX_load_verify_locations is not enough, you also need
> >> SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile))
> >> (assuming that CAfile is a file that contains "PEM" format
> certificates
> >> of all CAs that you want to accept).
>
> > Now, this confuses me. I am not now doing a
> SSL_CTX_set_client_CA_list()
> > (or any of the .+add_client_CA() routines) and yet when I
> connect to my
> > server with a browser I get prompted to pick a cert.
>
> But it's not the newest version of whatever browser you're using,
> right? I think I've heard that some older browsers let the user
> choose any certificate when the server has asked for a client cert but
> has not provided the list of acceptable CAs (which is not legal server
> behaviour according to the SSL 3.0 and TLS 1.0 specifications, and
> does not work with many other browsers).
>
I think I did figure this out. The server's CertificateRequest message won't
have a list of acceptable CAs in it unless I do a
SSL_CTX_set_client_CA_list() or something that works like it. In fact the
behavior I was seeing was what you describe: the browser was displaying all
of the certs it knew about, not just the appropriate ones. When I add the
call to SSL_CTX_set_client_CA_list() in the server, my browsers only let me
pick from certs signed by the appropriate issuers.
I'm a little unclear on why there are two APIs for this. Why should
SSL_CTX_load_verify_locations() not add the certs it finds to the client CA
list, when the SSL_METHOD associated with the sslctx is a server method? I
guess that's really a question for the dev list...
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
