Re: Re: Client verification in a SSL server

Wed, 31 May 2000 08:58:05 -0700 

On Wed, May 31, 2000 at 12:13:45PM -0300, Marcos Rogerio wrote:
> Hi, Mr. Lutz,
> Thank you for your return.
> >
> >This should go into the FAQ...
> >The client will only send the certificate if requested by the server.
> >The server must hence be configured with the SSL_VERIFY and corresponding
> >SSL_VERIFY_CLIENT_ONCE (maybe SSL_VERIFY_FAIL_IF_NO_PEER_CERT) using
> >the  SSL_CTX_set_verify(ctx, verify_flags, verify_callback) call.
> >See e.g. the openssl s_server source code for the flags "-verify"
> >and "-Verify".
> 
> I also tried this. I used SSL_CTX_set_verify() with itīs required fields
> and passed 
>     verify_flag=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; 
> to it. But I have noted that the callback function is never executed.
> Is it possible to have the client cert passing NULL as the callback to
> the SSL_CTX_set_verify()? Is this SSL_CTX_set_verify() setup the only
> requirement to client authentication to work properly?

If SSL_VERIFY_PEER is set, the server will send its certificate request
to the client (ssl/s3_srvr.c:314). The server _can_ send a list of
acceptable CAs (see section 7.4.4 in RFC2246.
In this case, your clients _can_ send a certificate. Whether this actually
happens is up to you to check.
I would recommend you to compile your application and OpenSSL with debugger
support (-g) and then set breakpoints for ssl3_send_certificate_request()
to check, whether the certificate request really goes out (you can also
interprete the bytes send to the client) and for ssl3_get_client_certificate()
to see whether one is actually presented.

Best regards,
        Lutz
PS. I actually use client certificates a lot. Please feel free to check out
my Postfix/TLS patchkit (availabe from my homepage).
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to