[EMAIL PROTECTED] (Dominic Mitchell) writes:
> On Thu, Sep 23, 2004 at 04:37:52PM -0400, Tom Lane wrote:
>> That last statement is not actually correct, is it?  AFAICS we do tell
>> SSL to enforce certificates if we find a valid root.crt file.

> According to the docs[1], you also need
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT if you want requests that do not send a
> certificate to be rejected.  That terminates the connection immediately.
> [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

Hmm.  Reading the SSL man page more closely, you're right.  This is a bug
IMHO --- the intention was that presence of a root.crt file would force
verification.  What we wanted to do was to allow servers to operate
without a root.crt file if they didn't care about verifying client

It looks like the original coder simply got this backwards: the backend
code doesn't set SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but the frontend code
does, which is silly because the flag is ignored on the client side.

Does anyone see a reason not to turn on SSL_VERIFY_FAIL_IF_NO_PEER_CERT
on the backend side?

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
      subscribe-nomail command to [EMAIL PROTECTED] so that your
      message can get through to the mailing list cleanly

Reply via email to