On Wed, Feb 22, 2006 at 11:52:11AM -0700, Ken Johanson wrote:
> Apple/Safari browsers (all current versions) have a bug where if they
> attempt to connect to a SSL client-authenticated website, and have
> client certs in their keystore whos signers/chain is not solicited
> during SSL handshake.. then Safari may send the unsolicited cert
> anyway.
Most SMTP clients send client certificates even when the signing CA is
not solicited. The Postfix SMTP server does not complain if the client
certificate verification fails. The key issue is coding the server-side
verification callback correctly, so that the session is not rejected
despite the unverifiable client certificate.
>From the bottom of tls_verify_certificate_callback():
/*
* Never fail in case of opportunistic mode.
*/
if (TLScontext->enforce_verify_errors)
return (ok);
else
return (1);
Normally "enforce_verify_errors" is not set.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
