On Mon, Mar 21, 2005, Victor Duchovni wrote: > On Mon, Mar 21, 2005 at 07:28:24PM +0100, Dr. Stephen Henson wrote: > > > > I request client certificates because I need to authenticate a small > > > number of clients (currently 1). When I ask for client certificates, all > > > clients that have a client certificate (often self-signed) volunteer their > > > certificates during the handshake. I don't need them, but I get them. > > > > > > > Can't you change it so the server only requests a certificate when either > > the > > user requests expanded priveleges or attempts a privileged action? Then if > > an > > invalid certificate is given it would be rejected. > > > > No. TLS is invariably negotiated way before one knows what the peer has > in mind or who the peer is. My use case is SMTP+STARTTLS. The only > things I know about the client are its IP address and HELO name. The > code does not currently support requesting client certificates only > from specified networks (or helo names), and tracking these will > make the configuration more fragile. >
In some cases TLS is negotiated initially without a client certificate then when some action is performed the session is renegotiated this time requesting one. That's done on some webservers after a certain URL is requested for example. >From your description though that doesn't seem to be possible in this case. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
