On 27.01.23 21:13, Cary Huang wrote:
I agree that it is a more elegant approach to add "sslcertmode=disable" on the client side to prevent sending default certificate.But, if the server does request clientcert but client uses "sslcertmode=disable" to connect and not give a certificate, it would also result in authentication failure. In this case, we actually would want to ignore "sslcertmode=disable" and send default certificates if found.
Those are all very good points.> But, if the server does request clientcert but client uses "sslcertmode=disable" to connect and not give a certificate, it would also result in authentication failure. In this case, we actually would want to ignore "sslcertmode=disable" and send default certificates if found.
I'm just wondering if this is really necessary. If the server asks for a certificate and the user explicitly says "I don't want to send it", shouldn't it be ok for the server return an authentication failure? I mean, wouldn't it defeat the purpose of "sslcertmode=disable"? Although it might be indeed quite handy I'm not sure how I feel about explicitly telling the client to not send a certificate and having it being sent anyway :)
Best, Jim
smime.p7s
Description: S/MIME Cryptographic Signature
