On Wed, Nov 30, 2005 at 06:07:20PM -0500, Sean Rhea wrote:
> On Nov 30, 2005, at 4:42 PM, Victor Duchovni wrote:
> >This is completely doable. Example code to be found in many SSL
> >applications.
> >
> > http://www.postfix.org/TLS_README.html#server_vrfy_client
> > http://www.postfix.org/TLS_README.html#server_access
> > http://www.postfix.org/postconf.5.html#permit_tls_clientcerts
> >
> >Source code:
> >
> > http://www.postfix.org/dowload.html
> >
> >get 2.3-20051128 and look at:
> >
> > src/tls/tls_verify.c
> > src/tls/tls_server.c
> > src/tls/tls_client.c
>
> Sorry, I don't actually see that the postfix code is doing what I
> want. I see that you're computing the client's fingerprint in
> tls_server.c, but that's only after SSL has verified the client
> certificate. In my case, the client has a self-signed certificate,
> so the verification fails. As a result (I think),
> SSL_get_peer_certificate is returning NULL (see sample code below).
>
Yes, but the verification is optional just tell SSL that the certs
verify OK. Postfix only uses fingerprints of verified clients, but you
don't have to do that. The machinery is much the same. In the Postfix client,
the server verification is optional.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
