On Wed, Dec 15, 2010 at 11:14:59AM -0500, Jeff Saremi wrote:
> So under situations that are not entirely clear, a call to
> SSL_get_peer_certificate() returns null after a successful SSL accept is
> done on the server.
>
> My question is if there are conditions under which one cannot rely on
> the presence of the peer certificate even if SSL_VERIFY_PEER is set?
If the client signed the handshake with a private key and presented the
corresponding certificate chain, then on an initial handshake you'll
see the client cert and the full trust chain and your verification
callback will be invoked.
If the client resumes a previously established session, your verification
callback will not be called, rather only the leaf certificate will
be saved in the resumed session, and its verification status will be
cached. Under these conditions, whether the session is resumed or not,
SSL_get_peer_certificate() should return the leaf client certificate.
Have never run into any surprised with missing client certs.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
