Ekr: Will follow up on other things later, however, request clarification on one thing:
Eric Rescorla wrote: > S 7.4. > When a server accepts a TLS connection, it presents its own X.509 > certificate to the client. To authenticate the client, the server > asks the client for a certificate. If the client possesses a > certificate, it is presented to the server. If the client does not > present a certificate, it MUST NOT be considered authenticated. > > Is this really true? My understanding was that when proxy servers > thought clients were connecting they did not request client auth, > but rather used digest. Note that a number of clients react badly > when a cert is requested and they don't have one. Is this true; i.e., number of clients react badly when a cert is requested and they don't have one? I have used openssl 0.9.8a with the SSL_CTX_set_verify(g_ctx, SSL_VERIFY_PEER, verify_cb) API and that seems to work. The client does not grok if it does not have a certificate; it will send the server if it does have one. Admittedly, I have only used the openssl library and do not know what other TLS libraries do when the same scenario occurs. Thanks, - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) Email: [EMAIL PROTECTED],bell-labs.com,acm.org} WWW: http://www.alcatel-lucent.com/bell-labs _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
