Re: SSL_CTX_set_client_CA_list

Mon, 12 Nov 2001 06:07:20 -0800 

On Sun, Nov 11, 2001 at 09:50:26AM +0200, Sharon Hezy wrote:
> I'm trying to implement client authentication with OpenSSL client & server.
> Everything works fine: server asks for client's certificate, gets it &
> verification successes too. The only problem is that I can't make client to
> send to the server certificate that matches one of the names in server's CA
> list (defined on the server side with SSL_CTX_set_client_CA_list()). What I
> want is that client will send certificate ONLY if it signed by one of
> server's trusted CA's (from the CA list), and, if the client doesn't have
> certificate like that - he shouldn't send anything. In fact, I'm getting a
> different behavior: client always sends its certificate, even if it signed
> by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation
> is seems to me that the behavior that I'm expecting is the right one, and
> the one I'm getting - is the wrong one. Does anybody know how to help me?

You are experiencing the default behaviour of the OpenSSL client code.
It does not check whether the client certificate available does match
the list of client CAs sent.
There exists a callback function set via SSL_CTX_set_client_cert_cb(),
that should help an application to perform the required operation:
upon client certificate request, the callback is being called and the
application can then load the according private key and certificate.
The exact functioning is not (yet?) documented. Due to limitations
in the data structures (OpenSSL can only handle one certificate chain
per SSL object that is never reset), it would be necessary to
SSL_free() the SSL object afterwards, which is contradictory to the normal
behaviour, where SSL_clear() is good enough.
I have therefore not written the according manual pages, as I would not
like to give incomplete examples.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to