On Mon, Mar 21, 2005 at 07:28:24PM +0100, Dr. Stephen Henson wrote:
> > I request client certificates because I need to authenticate a small
> > number of clients (currently 1). When I ask for client certificates, all
> > clients that have a client certificate (often self-signed) volunteer their
> > certificates during the handshake. I don't need them, but I get them.
> >
>
> Can't you change it so the server only requests a certificate when either the
> user requests expanded priveleges or attempts a privileged action? Then if an
> invalid certificate is given it would be rejected.
>
No. TLS is invariably negotiated way before one knows what the peer has
in mind or who the peer is. My use case is SMTP+STARTTLS. The only
things I know about the client are its IP address and HELO name. The
code does not currently support requesting client certificates only
from specified networks (or helo names), and tracking these will
make the configuration more fragile.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
