> From: owner-openssl-us...@openssl.org On Behalf Of Jeff Saremi > Sent: Wednesday, 15 December, 2010 11:15
> We have some intermittent problems which seem to go away after > restarting our server. > The problem is that the client's certificate disappears on the server, > even though SSL_VERIFY_PEER is set in the context using > SSL_CTX_set_verify(). > Is the SSL_CTX* always set before you create (any) SSL* from it? (Or (re)set in the SSL* before you handshake?) Could you have a bug in (any!) other code that clobbers memory? (These are often very hard to debug, at least in C and C++ <G>. Maybe you can put in monitoring/debug code that checks every H hours or C connections or M messages or somesuch that settings are still correct.) > So under situations that are not entirely clear, a call to > SSL_get_peer_certificate() returns null after a successful > SSL accept is > done on the server. > > My question is if there are conditions under which one cannot rely on > the presence of the peer certificate even if SSL_VERIFY_PEER is set? > *On server* just SSL_VERIFY_PEER only causes it to *allow* client auth, by sending CertReq and processing the response(s). accept still succeeds if the client chooses not to auth. Add SSL_VERIFY_FAIL_IF_NO_PEER_CERT to make accept fail. But I see no reason that should be changed by server restart, if you have the same clients attempting the same connections. (Maybe you don't; maybe clients differ from one week to the next, or at different times of day or seasons of the year or something. Or maybe you have one or a few bad client(s) who only connect every 2 weeks, so it usually happens to be more than a week since the last server (re)start. Etcetera Yul Brynner.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
